Published:
03 April 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.040 -- IBM AIX NLS environment buffer overflows
4 April 1997
===========================================================================
Troy Bollinger <troy@austin.ibm.com>, AIX Security Development, has
released the following information concerning a buffer overflow vulnerability
in NLS environment variables under IBM AIX(r). This vulnerability may
allow unauthorised super-user access. Exploit information regarding this
vulnerability has been made public.
This following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
Thu Apr 3 23:28:12 GMT 1997
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer overflows in NLS environment variables
PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x
SOLUTION: Apply the fixes described below.
THREAT: If exploited, this condition may permit unauthorized
super-user access to the system
===============================================================================
I. Description
There are buffer overflows in the way that AIX handles certain
NLS environment variables.
II. Impact
Unprivileged users may gain root access. An exploit has been published
detailing this vulnerability.
III. Fixes
AIX 3.2.5
=========
Apply the following fix to your system:
PTFs - U447656 U447671 U447676 U447682 U447705 U447723 (APAR IX67405)
To determine if you have these PTFs on your system, run the following
command:
lslpp -lB U447656 U447671 U447676 U447682 U447705 U447723
AIX 4.1
=======
Apply the following fix to your system:
APAR - IX67407
To determine if you have this APAR on your system, run the following
command:
instfix -ik IX67407
Or run the following command:
lslpp -h bos.rte.libc
Your version of bos.rte.libc should be 4.1.5.7 or later.
AIX 4.2
=======
Apply the following fix to your system:
APAR - IX67377
To determine if you have this APAR on your system, run the following
command:
instfix -ik IX67377
Or run the following command:
lslpp -h bos.rte.libc
Your version of bos.rte.libc should be 4.2.0.11 or later.
Temporary Fixes
===============
A temporary patch is available via anonymous ftp from:
ftp://testcase.software.ibm.com/aix/fromibm/README.NLS_security_fix
ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.42.tar
ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.41.tar
ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.32.tar
MD5 checksums:
MD5 (NLS_security_fix.32.tar) = 8382b9907e1c52ba01bb0d54a6398e09
MD5 (NLS_security_fix.41.tar) = 2935f43ebd86e8c64bfae3a533f152f7
MD5 (NLS_security_fix.42.tar) = e3c26df51d27701d5784225da945de8e
IV. Acknowledgements
Thanks to the FreeBSD team for bringing this problem to our attention
and to Georgi Guninski for (almost ;-) waiting until the fix was released.
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM0UY0Sh9+71yA2DNAQGekwP/Qsmv0aDVnyEzDblyr4Ba1EC0WU7GbB8T
TEbozQQgnaCZstN7f+2AG5ceB/IDFRQGd5/1nAxpPPK5SA+i1HCemB03OB15ivht
41KiiW4sfQew38mnwmI8OibS7jZLNDIAk1EXJ9/m+zAMX4RxmZu3rp8jV0b4/iZF
EozhS3BGfEo=
=Oxsu
-----END PGP SIGNATURE-----