[12026] in bugtraq
Re: named-xfer hole on AIX (fwd)
daemon@ATHENA.MIT.EDU (Troy A. Bollinger)
Tue Sep 28 14:16:40 1999
Mail-Followup-To: Kyle Amon <amonk@GNUTEC.COM>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990927172450.A25492@austin.ibm.com>
Date: Mon, 27 Sep 1999 17:24:50 -0500
Reply-To: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
From: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
X-To: Kyle Amon <amonk@GNUTEC.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.96.990923115257.19479C-100000@labyrinth.sec.gnutec.com>
Quoting Kyle Amon (amonk@GNUTEC.COM):
> On AIX, named-xfer has the following permissions...
>
> -r-sr-xr-- 1 root system 32578 Feb 18 1997 /usr/sbin/named-xfer
>
> which of course means that only root and members of the system group have
> execute permission but that (since the SUID bit is set) it executes as
> root even when run by non-root members of the system group. So, although
> one would have to already be a member of the system group (or manage to
> obtain such status) in order to exploit the problem described here, it's
> still a rather significant problem. And its much worse than the old
> sendmail -C problem which was still exploitable in AIX up until very
> recently when one was a member of the system group. The big difference
> here being that sendmail -C only let one read files they shouldn't have
> been able to read whereas this problem lets one write them :-).
AIX administrative groups (such as system) should only be assigned to
users that are trusted to perform duties that ordinarily would require
the root password. To put it another way, if you need to use named-xfer
to get root from the system group, your cracker license is getting
stale.
> The problem is that named-xfer writes it's resulting zone file (when using
> the -f option) without (or at least before) relinquishing it's root
> privilege (and I doubt it ever relinquishes it since it doesn't really
> need it in the first place).
Nevertheless, this certainly isn't expected behavior. I've opened
defect 287556 to fix this in the next release.
--
Troy Bollinger troy@austin.ibm.com
AIX Security Development security-alert@austin.ibm.com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
