VULNERABILITY: Buffer overflow in the IBM AIX "xdat" command
PLATFORMS: IBM AIX(r) 4.1, 4.2
SOLUTION: Remove the setuid bit or apply one of the fixes below
THREAT: Local users may become root
===============================================================================
I. Description
The "xdat" command shipped with AIX version 4 does not check the length of the
"TZ" environment variable. This command was not shipped with AIX 3.2.
II. Impact
Local users may become root.
III. Solutions
A. How to alleviate the problem
This problem can be alleviated by removing the set-user-id bit from the
"xdat" program. To do this, execute the following command as "root":
chmod 555 /usr/lpp/X11/bin/xdat
B. Official fix
IBM is currently working on the following APARs but they are not yet
available.
AIX 4.1: IX72020
AIX 4.2: IX72021
C. Temporary fixes
A temporary fix is available via anonymous ftp from:
ftp://testcase.software.ibm.com/aix/fromibm/security.xdat.tar.Z
Filename sum md5
=================================================================
xdat 44047 74 33bcec8bbc7d8eb2e4e2ae760d2b986e
Use the following steps (as root) to install the temporary fix:
1. Uncompress and extract the fix:
# uncompress < security.xdat.tar.Z | tar xf -
2. Use the "xdat_patch.sh" script or the following manual commands:
# pgp xdat/xdat.pgp xdat/xdat
# cp /usr/lpp/X11/bin/xdat /usr/lpp/X11/bin/xdat.orig
# chmod -s /usr/lpp/X11/bin/xdat.orig
# cp xdat/xdat /usr/lpp/X11/bin/xdat
# chmod 4555 /usr/lpp/X11/bin/xdat
This fix has not been fully regression tested but does prevent the TZ
environment variable exploit. If the new executable fails to load due
to missing symbols, the following APARs may help to resolve the
prerequisites:
AIX 4.1: IX69580
AIX 4.2: IX69180
===============================================================================