[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[IBM] Schwachwstelle im swcons Kommando - ibm2007103103
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgende Warnung des IBM Managed Security
Services. Wir geben diese Informationen unveraendert an Sie weiter.
Das AIX swcons Kommando erlaubt, die Systemkonsole auf andere Geraete
oder Dateien umzulenken. Das Kommando ist nur fuer Benutzer der Gruppe
"system" (GID 0) ausfuehrbar.
Unsicheres Anlegen temporaerer Dateien durch das AIX swcons Kommando
Das AIX swcons Kommando legt temporaere Dateien auf unsichere Weise
an, wenn die Option "-p" verwendet wird. Da swcons SetUID Root
installiert ist, erlaubt die Schwachstelle, beliebige Dateien mit
65535 Bytes zu ueberschreiben (der Inhalt diese Daten ist vom
Angreifer nicht kontrollierbar) oder die Datei neu anzulegen, falls
sie vorher nicht existiert. Zusaetzlich werden die Rechte auf 0222
gesetzt, d.h. Schreib-Erlaubnis fuer jedermann. Lokale Angreifer
koennen dies dazu ausnutzen, root-Rechte zu erlangen.
Betroffen sind die folgenden Software Pakete und Plattformen:
Fileset bos.rte.console auf AIX 5.2.0 Version 5.2.0.0 - 5.2.0.106 ohne
APAR IZ03055
Fileset bos.rte.console auf AUX 5.3.0 Version 5.3.0.0 - 5.3.0.61 ohne
APAR IZ03061
AIX 5.2, 5.3
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
- --
Andreas Bunten (CSIRT), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Thu Oct 25 13:15:54 CDT 2007
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX swcons file ownership/permission vulnerability.
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the APAR, interim fix or workaround as described
below.
THREAT: An local attacker may create files owned by root with
arbitrary contents.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
The AIX Console command 'swcons' is a utility for redirecting,
temporarily, the system console output to a specified device or
file. This command contains a vulnerability that allows a local
attacker to create files owned by root that have insecure
permissions allowing for arbitrary content creation within the
file.
II. DESCRIPTION
A file permission/ownership vulnerability exists in the
'bos.rte.console' fileset command listed below whereby a local
attacker may create arbitrary contents within a file owned by root
using the 'swcons' command. The local attacker must be a member
of the 'system' group (gid=0) to execute this command.
The following 'bos.rte.console' command is vulnerable:
/usr/sbin/swcons
The internal command called by swcons that is updated with this
interim fix is:
/usr/lib/methods/cfgcon
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, run the following
commands:
# lslpp -l bos.rte.console
The following fileset levels are vulnerable:
AIX Fileset AIX Level Lower Level Upper Level
----------------------------------------------------------------
bos.rte.console 5.2.0 5.2.0.0 5.2.0.106
bos.rte.console 5.3.0 5.3.0.0 5.3.0.61
NOTE: IBM only supports the latest two releases (AIX 5.2 & 5.3)
and the latest three Technology Levels (AIX 5.2 TL08, TL09, TL10 &
AIX 5.3 TL04, TL05, TL06). Affected customers are urged to
upgrade to the latest applicable Technology Level and Service
Pack.
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
--------------------------------------------------------------------
5.2.0 IZ03055 Available Now
5.3.0 IZ03061 Available Now
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ03055
http://www.ibm.com/support/docview.wss?uid=isg1IZ03061
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
B. INTERIM FIXES
Interim fixes are available. The interim fix can be
downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/cfgcon_ifix.tar
The link above is to a tar file containing this signed
advisory, interim fix packages, and PGP signatures for each
package. The interim fixes below include prerequisite
checking. This will enforce the correct mapping between the
fixes and AIX Technology Levels.
AIX Fileset AIX Release & Interim fix
Technology Level
-----------------------------------------------------------------
bos.rte.console 5200-08 IZ03055_08.070821.epkg.Z
bos.rte.console 5200-09 IZ03055_09.070821.epkg.Z
bos.rte.console 5200-10 IZ03055_10.070821.epkg.Z
bos.rte.console 5300-04 IZ03061_04.070821.epkg.Z
bos.rte.console 5300-05 IZ03061_05.070821.epkg.Z
bos.rte.console 5300-06 IZ03061_06.070821.epkg.Z
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
These interim fixes have not been fully regression tested;
thus, IBM does not warrant the fully correct functionality of
the interim fix.
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
------------------------------------
17427 21 IZ03055_08.070821.epkg.Z
09425 21 IZ03055_09.070821.epkg.Z
39740 21 IZ03055_10.070821.epkg.Z
46472 21 IZ03061_04.070821.epkg.Z
64682 21 IZ03061_05.070821.epkg.Z
11481 21 IZ03061_06.070821.epkg.Z
cksum filename
-----------------------------------------
2723499995 21199 IZ03055_08.070821.epkg.Z
4108356783 21201 IZ03055_09.070821.epkg.Z
3098245741 21194 IZ03055_10.070821.epkg.Z
544925221 20964 IZ03061_04.070821.epkg.Z
3490445443 21024 IZ03061_05.070821.epkg.Z
3143066787 21134 IZ03061_06.070821.epkg.Z
csum -h MD5 (md5sum) filename
----------------------------------------------------------
cf875326927ab930a887d49e6ded3d97 IZ03055_08.070821.epkg.Z
c86ff53973913eb45d377a9c6e5fcbce IZ03055_09.070821.epkg.Z
b98778e19af893100d251bc449418a44 IZ03055_10.070821.epkg.Z
a77bbe99fc95e204c121b960e66e4488 IZ03061_04.070821.epkg.Z
be560562537e87670a7d77f65b8eef24 IZ03061_05.070821.epkg.Z
a0a2d78d9f2b414c80d873394ee4a7b0 IZ03061_06.070821.epkg.Z
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
5e35ba661283557902cf21c672cd15085bfc0cba IZ03055_08.070821.epkg.Z
12507ab4713b6556cc3651953abde7faa3602a93 IZ03055_09.070821.epkg.Z
780080edffd1afc2f2f668fdaf250647b4e97617 IZ03055_10.070821.epkg.Z
df20097629e40d25c2eadc3726f65af596a5b36d IZ03061_04.070821.epkg.Z
4d271c80d6c0c59781bfd393a1a8cc7f3dd7e936 IZ03061_05.070821.epkg.Z
86668b3bef1694251e009ddc020ee276f648e7a6 IZ03061_06.070821.epkg.Z
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the
compressed tarball and on this advisory can also be used to
verify the integrity of the various files they correspond to.
If the sums or signatures cannot be confirmed, double check
the command results and the download site address. If those
are OK, contact IBM AIX Security at
security-alert@xxxxxxxxxxxxxx and describe the discrepancy.
C. INTERIM FIX INSTALLATION
These packages use the new Interim Fix Management Solution to
install and manage interim fixes. More information can be
found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an epkg interim fix installation execute the
following command:
# emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an epkg interim fix package, execute the following
command:
# emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
The "X" flag will expand any filesystems if required.
VI. WORKAROUNDS
There are two possible workarounds that may be implemented.
A. OPTION 1
Change the permissions of these commands to remove the setuid
bit using the following commands:
# chmod 550 /usr/sbin/swcons
NOTE: This will disable functionality of these commands for
all users except root.
B. OPTION 2 (AIX 5.3 TL6 only)
Use the File Permissions Manager (fpm) command to manage the
setuid-bit on the following commands:
/usr/sbin/swcons
NOTE: This will disable functionality of these commands for
all users except root.
VII. OBTAINING FIXES
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
Security related Interim Fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@xxxxxxxxxxxxxx
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@xxxxxxxxxxxxxx
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
This vulnerability was reported by iDefense Labs.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHJ0Ya8lficKajbMwRArh9AJ4ppNGGPL9ZcR/KSRtcOIzyhpyZhgCeKQGs
5lVzGtW0OaEHdscRR81PNjI=
=cwGF
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRyhrahYd1iQZmhQQAQEVZgf/cN+QKaQHsRe/mqRcp5mrlyyGGhDCsjmw
lApt4Me+WgPiuQ1EVvmfOEnNgnuxOeYcjSQJ+DZejvMVt4tA90ZrJZ+hYkyB/g1e
pg7TGowV0HS1YKfEIIXTE0H4rjEpc8qjWhng2jApCBSKe4Kw5qzQgFerU0jwgECG
WcxQJrkIeiH+VD25NgR3UC8GM341Jjl55368peGiaj1JdjjKyPWR2AXUsGqExndL
EmtektS4rnr4xBu3+21tD6iLE2uHQWkpmbDPbc3m03oKCd0ZmwJQ6Q4ChGu95XmH
j1YpziCCjEvirJUqSrgWK7KUqTZFIY4BETGriZ/vK3W1VC7z5P9KUg==
=CJPr
-----END PGP SIGNATURE-----