[UNIX] IBM AIX netpmon Local Buffer Overflow Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 02/13/05

  • Next message: SecuriTeam: "[UNIX] Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability" 
    To: list@securiteam.com
Date: 13 Feb 2005 13:26:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      IBM AIX netpmon Local Buffer Overflow Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The netpmon program is "a setuid root application, installed by default
    under multiple versions of IBM AIX, which can be used to monitor activity
    and report statistics on network I/O and network-related CPU usage".

    Local exploitation of a buffer overflow vulnerability in the netpmon
    command included by default in multiple versions of IBM Corp.'s AIX
    Operating System could allow for arbitrary code execution as the root
    user.

    DETAILS

    Vulnerable Systems:
     * IBM AIX version 5.2 and prior

    Immune Systems:
     *

    The vulnerability specifically exists due to an unbounded string copying
    operation into stack memory. When provided with a long argument to the -O
    option (the ReportType option), the netpmon process will overwrite stack
    memory. This allows for the execution of arbitrary code by overwriting the
    saved return address.

    Analysis:
    Exploitation of this vulnerability is simple for a skilled attacker,
    however gid "system" is required in order to execute the vulnerable
    binary. Successful exploitation yields root access to the system.

    Workaround:
    Only allow trusted users local access to security critical systems; only
    allow trusted users access to the "system" group. Alternately, remove the
    setuid bit from netpmon using chmod u-s /usr/bin/netpmon

    Vendor Status:
    Vendor advisories for this issue are available at:

     * For AIX 5.1:
     
    <https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=1&heading=AIX51&topic=SECURITY&month=ALL> AIX 5.1 Security Advisories

     * For AIX 5.2:
     
    <https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=1&heading=AIX52&topic=SECURITY&month=ALL> AIX 5.2 Security Advisories

     * For AIX 5.3:
     
    <https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=1&heading=AIX53&topic=SECURITY&month=ALL> AIX 5.3 Security Advisories

    Disclosure Timeline:
    12/21/2004 - Initial vendor notification
    01/07/2004 - Initial vendor response
    02/10/2005 - Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=197&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=197&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability"

    Relevant Pages