Published:
03 April 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-97.040 -- IBM AIX NLS environment buffer overflows 4 April 1997 =========================================================================== Troy Bollinger <troy@austin.ibm.com>, AIX Security Development, has released the following information concerning a buffer overflow vulnerability in NLS environment variables under IBM AIX(r). This vulnerability may allow unauthorised super-user access. Exploit information regarding this vulnerability has been made public. This following security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write this document, AUSCERT has had no control over its content. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - --------------------------BEGIN INCLUDED TEXT-------------------- Thu Apr 3 23:28:12 GMT 1997 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overflows in NLS environment variables PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x SOLUTION: Apply the fixes described below. THREAT: If exploited, this condition may permit unauthorized super-user access to the system =============================================================================== I. Description There are buffer overflows in the way that AIX handles certain NLS environment variables. II. Impact Unprivileged users may gain root access. An exploit has been published detailing this vulnerability. III. Fixes AIX 3.2.5 ========= Apply the following fix to your system: PTFs - U447656 U447671 U447676 U447682 U447705 U447723 (APAR IX67405) To determine if you have these PTFs on your system, run the following command: lslpp -lB U447656 U447671 U447676 U447682 U447705 U447723 AIX 4.1 ======= Apply the following fix to your system: APAR - IX67407 To determine if you have this APAR on your system, run the following command: instfix -ik IX67407 Or run the following command: lslpp -h bos.rte.libc Your version of bos.rte.libc should be 4.1.5.7 or later. AIX 4.2 ======= Apply the following fix to your system: APAR - IX67377 To determine if you have this APAR on your system, run the following command: instfix -ik IX67377 Or run the following command: lslpp -h bos.rte.libc Your version of bos.rte.libc should be 4.2.0.11 or later. Temporary Fixes =============== A temporary patch is available via anonymous ftp from: ftp://testcase.software.ibm.com/aix/fromibm/README.NLS_security_fix ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.42.tar ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.41.tar ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.32.tar MD5 checksums: MD5 (NLS_security_fix.32.tar) = 8382b9907e1c52ba01bb0d54a6398e09 MD5 (NLS_security_fix.41.tar) = 2935f43ebd86e8c64bfae3a533f152f7 MD5 (NLS_security_fix.42.tar) = e3c26df51d27701d5784225da945de8e IV. Acknowledgements Thanks to the FreeBSD team for bringing this problem to our attention and to Georgi Guninski for (almost ;-) waiting until the fix was released. - --------------------------END INCLUDED TEXT-------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM0UY0Sh9+71yA2DNAQGekwP/Qsmv0aDVnyEzDblyr4Ba1EC0WU7GbB8T TEbozQQgnaCZstN7f+2AG5ceB/IDFRQGd5/1nAxpPPK5SA+i1HCemB03OB15ivht 41KiiW4sfQew38mnwmI8OibS7jZLNDIAk1EXJ9/m+zAMX4RxmZu3rp8jV0b4/iZF EozhS3BGfEo= =Oxsu -----END PGP SIGNATURE-----