[4659] in bugtraq
Re: AIX dtaction and HOME vulnerability
daemon@ATHENA.MIT.EDU (Bollinger)
Wed Jun 11 01:46:32 1997
Date: Tue, 10 Jun 1997 23:58:08 -0500
Reply-To: Bollinger <troy@AUSTIN.IBM.COM>
From: Bollinger <troy@AUSTIN.IBM.COM>
X-To: guninski@hotmail.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199706101558.SAA13128@mail.techno-link.com> from "Georgi
Guninski" at Jun 10, 97 06:56:24 pm
-----BEGIN PGP SIGNED MESSAGE-----
Georgi Guninski wrote:
>
>
> Under AIX 4.2 (probably others) /usr/dt/bin/dtaction does not handle
> properly the HOME environment variable and that spawns a root shell. A lot
> of other X programs have the same problem and /bin/X11/xlock is well known
> to be exploitable.
> Tested on AIX 4.2 box.
>
> SOLUTION: #chmod -s /usr/dt/bin/dtaction /bin/X11/xlock
> OR apply patches
>
xlock fixes:
AIX 4.1 - IX68190
AIX 4.2 - IX68191
The 4.2 fix is not available yet. There's a temporary fix at:
ftp://testcase.software.ibm.com/aix/fromibm/xlock.overflow_fix.aix4.tar
dtaction fixes:
I haven't been able to get a *root* shell out of this exploit yet.
The code uses "setreuid(getuid(), getuid(), getuid());" just inside
main(). However, there are definite buffer overflow bugs being
exploited in libDtSvc.a to run arbitrary code off the stack ;-).
There's a temporary fix for this one at:
ftp://testcase.software.ibm.com/aix/fromibm/dtaction.security.tar.Z
Checksums for both temporary fixes are given in the README in each tar
file.
- --
+-------------- I do not speak for IBM! -----------------+
|Troy Bollinger | 92CBR600F2|
|AIX Security Development | troy@austin.ibm.com|
+----------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBM54wXwsPbaL1YgqvAQE4fAP8DI5KwEa4MXLhlr4AOkbk69zoN63v/Gnb
kB6rXpzB4nu3cvCcyd+YHfhuIQfQ5ApN2nmNvjk3OkzMCuQVzZXslxKZFcsQmx8T
WTNkcLyokBqsFrYzoTKyUAzApdbTP7MG7Viu4eDDA4gagyw0ycfoMoglD02DmvGA
7QOfnl+Vy2M=
=S5qh
-----END PGP SIGNATURE-----
