[UNIX] IBM AIX ctstrtcasd Local File Corruption Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 10/01/04
- Previous message: SecuriTeam: "[NT] HTTP Response Splitting and SQL Injection in Megabbs Forum"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 1 Oct 2004 10:28:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM AIX ctstrtcasd Local File Corruption Vulnerability
------------------------------------------------------------------------
SUMMARY
The ctstrtcasd program is a setuid root application, installed by default
under newer versions of IBM AIX. It is part of the Reliable Scalable
Cluster Technology (RSCT) system. It is also installed with multiple IBM
products under Linux, including IBM Tivoli System Automation, IBM Cluster
Systems Management, IBM Hardware Management Console, and IBM General
Parallel File System.
Local exploitation of an input validation vulnerability in the ctstrtcasd
command included by default in multiple versions of IBM Corp. AIX could
allow for the corruption or creation of arbitrary files anywhere on the
system.
DETAILS
Vulnerable Systems:
* iDEFENSE has confirmed the existence of this vulnerability in IBM AIX
5.2.
Products shipping and installing these affected versions of RSCT as
reported by IBM are as follows:
* IBM AIX 5L Version 5.2 on pSeries
* IBM AIX 5L Version 5.3 on pSeries
* IBM AIX 5L Version 5.2, 5.3 on an i5/OS (iSeries) partition
* IBM Tivoli System Automation (TSA) for Linux 1.1
* IBM Tivoli System Automation (TSA) for Multiplatforms 1.2
* IBM Cluster Systems Management (CSM) for Linux Version 1.4 (version 1.4
and greater)
* IBM Hardware Management Console (HMC) for pSeries Version 3
* IBM Hardware Management Console (HMC) for pSeries Version 4
* IBM General Parallel File System (GPFS) Version 2 Release 2 on Linux
for xSeries and Linux for pSeries
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0828>
CAN-2004-0828
If a user specifies a file with the -f option, the contents of that file
will be overwritten with 65,535 bytes of application trace data. If the
file doesn't exist, it will be created. The file creation/overwrite is
done with root privileges, thus allowing an attacker to cause a denial of
service condition by damaging the file system or by filling the drive with
65,535 byte files.
All that is required to exploit this vulnerability is a local account.
Exploitation does not require any knowledge of application internals,
making exploitation trivial, even for unskilled attackers. It is not
evident that privilege escalation is possible through abuse of this.
Workaround:
Only allow trusted users local access to security critical systems.
Alternately, remove the setuid bit from ctstrtcasd using:
chmod 555 /usr/sbin/rsct/bin/ctstrtcasd
Vendor Status:
"Apply the workarounds or APARs as described [in the associated IBM
Security Alert]. If you would like to receive AIX Security Advisories via
email, please visit:
<https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs>
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs"
Disclosure Timeline:
08/11/2004 Initial vendor notification
08/25/2004 Secondary vendor notification
08/26/2004 Vendor response
09/27/2004 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:customerservice@idefense.com> iDEFENSE.
The original article can be found at:
<www.idefense.com/application/poi/display?id=144&type=vulnerabilities>
www.idefense.com/application/poi/display?id=144&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] HTTP Response Splitting and SQL Injection in Megabbs Forum"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- IBM AIX 4.3.x and 5.1: Buffer overflow vulnerability in telnet daemon
... Subject: IBM AIX 4.3.x and 5.1: Buffer overflow vulnerability in telnet daemon ...
IBM Global Services ... IBM Managed Security Services with access to the security
advisories ... (Bugtraq) - IBM AIX: Buffer Overflow Vulnerability in libi18n Library
... IBM Global Services ... IBM Managed Security Services with access to
the security advisories ... IBM MSS is forwarding the following information from IBM. ...
(Bugtraq) - [NEWS] Cisco Voice Products Vulnerabilities on IBM Servers
... Get your security news from a reliable source. ... The default installation
of Cisco voice products on the IBM platform will ... * All operating system versions
running on an IBM server prior to OS ... (Securiteam) - IBM AIX: Buffer Overflow Vulnerabilities in lpd
... IBM Global Services ... IBM Managed Security Services with access to
the security advisories ... The Line Printer daemon, lpd, shipped with AIX contains several
... (Bugtraq) - iDEFENSE Security Advisory 09.27.04 - IBM AIX ctstrtcasd Local File Corruption Vulnerability
... IBM AIX ctstrtcasd Local File Corruption Vulnerability ... Only allow trusted
users local access to security critical systems. ... (Bugtraq)
