libIM.a buffer overflow vulnerability

From: Shiva Persaud (shivapd@us.ibm.com)
Date: 02/12/03

  • Next message: Jon Masters: "Solaris Signals"
    To: bugtraq@securityfocus.com
    From: Shiva Persaud <shivapd@us.ibm.com>
    Date: Wed, 12 Feb 2003 15:12:58 -0600
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    IBM SECURITY ADVISORY

    First Issued: Wed Feb 12 11:00:00 CST 2003

    ===========================================================================
                               VULNERABILITY SUMMARY

    VULNERABILITY: libIM.a buffer overflow vulnerability.

    PLATFORMS: AIX 4.3, 5.1 and 5.2

    SOLUTION: Apply the efix or APARs as described below.

    THREAT: A local attacker can exploit a buffer overflow
                        vulnerability to execute arbitrary code.

    CERT VU Number: n/a

    CAN Number: CAN-2003-0087
    ===========================================================================
                               DETAILED INFORMATION

    I. Description
    ===============

    AIX provides support for National Language Support (NLS). Many AIX
    applications support a variety of languages. Users may determine
    which language an application uses via command line arguments or,
    as is more often the case, via environment variables.

    A buffer overflow vulnerability has been found in a system library
    used by NLS, libIM, that allows a local attacker to execute arbitrary code
    with the privileges of the application that calls the library.

    II. Impact
    ==========

    A local attacker can execute arbitrary code with the privileges of the
    application using libIM. If the application is setuid root, an attacker will
    be able to execute arbitrary code with root privileges.

    III. Solutions
    ===============

    A. Official Fix
    IBM provides the following fixes:

          APAR number for AIX 4.3.3: IY40307 (available approx. 03/12/2003)
          APAR number for AIX 5.1.0: IY40317 (available approx. 04/28/2003)
          APAR number for AIX 5.2.0: IY40320 (available approx. 04/28/2003)

    NOTE: Fixes will not be provided for versions prior to 4.3 as
    these are no longer supported by IBM. Affected customers are
    urged to upgrade to 4.3.3 or 5.1.0 at the latest maintenance level.

    B. E-fix
    Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are available.

    The temporary fixes can be downloaded via ftp from:

         ftp://aix.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z

    The efix compressed tarball contains three fixes: one each for
    AIX 4.3.3, AIX 5.1.0 and AIX 5.2.0. It also includes this advisory
    and a README file with installation instructions.

    Verify you have retrieved this efix intact:
    - ---------------------------------------------

    There are 3 fix-files in this package for the 4.3.3, 5.1.0, 5.2.0
    releases. The checksums below were generated using the "sum" and
    "md5" commands and are as follows:

    Filename sum md5
    =================================================================
    libIM.a.433 22101 67 16f015c19f72671859eb88823d3640f5
    libIM.a.510 41339 66 79c64e9e73de01cc0b4b0220fa8eb557
    libIM.a.520 18991 65 e0ca1983b358007b5ea277972838b952

    These sums should match exactly; if they do not, double check the
    command results and the download site address. If those are OK,
    contact IBM AIX Security at security-alert@austin.ibm.com and describe
    the discrepancy.

    IMPORTANT: Create a mksysb backup of the system and verify it is
    both bootable, and readable before proceeding.

    These temporary fixes have not been fully regression tested; thus,
    IBM does not warrant the fully correct functioning of the efix.
    Customers install the efix and operate the modified version of AIX
    at their own risk.

    Efix Installation Instructions:
    - -----------------------------------
    Detailed installation instructions can be found in the README file
    supplied in the efix package. These instructions are summarized below.

    You need to have the following filesets installed:

    For AIX 4.3.3:
    bos.rte.im.4.3.3.76

    For AIX 5.1.0:
    bos.rte.im.5.1.0.35

    For AIX 5.2.0:
    bos.rte.im.5.2.0.0

    You can determine which fileset is installed by executing
    the following:

       # lslpp -L bos.rte.im

    If bos.rte.im is not installed, the system is not vulnerable.

    1. Create a temporary efix directory and move to that directory.
       # mkdir /tmp/efix
       # cd /tmp/efix

    2. Uncompress the efix and un-tar the resulting tarfile. Move to the
       fix directory. This step assumes the compressed efix tarball is in
       /tmp/efix.
       # uncompress libIM_efix.tar.Z
       # tar xvf libIM_efix.tar
       # cd libIM_efix

    3. Rename the patched binary files appropriate for your system and set
       ownership and permissions.
       # mv libIM.a.xxx libIM.a # where xxx is 433, 510 or 520
       # chown bin.bin libIM.a
       # chmod 444 libIM.a

    4. Test the efix. This step is strongly recommended but not required.

       a. Export the environment variable LIBPATH to point to the new
          copy of libIM.a.
          # export LIBPATH=/tmp/efix/libIM_efix

       b. Execute aixterm since it uses libIM.
          # slibclean
          # aixterm

          Note: To launch aixterm, the machine being patched must be able
          to connect to a X Server so that it can display the aixterm
          window.

       c. If aixterm did not start, execute the following command
          and discontinue installation of this efix:
          # unset LIBPATH

          This will allow your system to use the original libIM.a.

    5. Install the efix.
       a. Create a backup copy of original binary. Remove all
          permissions from the backup copy.
          # cd /usr/ccs/lib/
          # cp libIM.a libIM.a.orig
          # chmod 0 libIM.a.orig

       b. Export the environment variable LIBPATH to point to the new
          copy of libIM.a. This is very important because it will allow
          your system to locate a copy of libIM.a if needed during the
          patch process.
          # export LIBPATH=/tmp/efix/libIM_efix

       c. Remove the original library.
          # rm /usr/ccs/lib/libIM.a

       d. Replace the current system library with the patched versions.
          Use the -p option to preserve the file permissions set in
          step 3.
          # cp -p /tmp/efix/libIM_efix/libIM.a /usr/ccs/lib/libIM.a

       e. Unset the LIBPATH environment variable.
          # unset LIBPATH

    6. Remove any copies of the old libIM.a from memory.
       # slibclean

    IV. Obtaining Fixes
    ===================

    IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
    FixDist program), or from the IBM Support Center. For more information
    on FixDist, and to obtain fixes via the Internet, please reference

            http://techsupport.services.ibm.com/rs6k/fixes.html

    or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
    "Subject:" line.

    AIX APARs may also be downloaded from the web from the following URLs.

    For 4.3.3 APARs:
              http://techsupport.services.ibm.com/rs6k/fixdb.html

    For 5.1.0 APARs:
              http://techsupport.services.ibm.com/server/aix.fdc

    For 5.2.0 APARs:
              http://techsupport.services.ibm.com/server/aix.fdc

    To facilitate ease of ordering all security related APARs for each AIX
    release, security fixes are periodically bundled into a cumulative APAR.
    For more information on these cumulative APARs including last update and
    list of individual fixes, send email to "aixserv@austin.ibm.com" with
    the word "subscribe Security_APARs" in the "Subject:" line.

    V. Acknowledgments
    ==================

    The AIX Security Team would like to thank iDEFENSE for bringing this issue
    to our attention.

    This document was written by Shiva Persaud.

    VI. Contact Information
    ========================

    Comments regarding the content of this announcement can be directed to:

       security-alert@austin.ibm.com

    To request the PGP public key that can be used to encrypt new AIX
    security vulnerabilities, send email to security-alert@austin.ibm.com
    with a subject of "get key".

    If you would like to subscribe to the AIX security newsletter, send a
    note to aixserv@austin.ibm.com with a subject of "subscribe Security".
    To cancel your subscription, use a subject of "unsubscribe Security".
    To see a list of other available subscriptions, use a subject of
    "help".

    IBM and AIX are a registered trademark of International Business
    Machines Corporation. All other trademarks are property of their
    respective holders.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.0 (AIX)

    iD8DBQE+SXgmcnMXzUg7txIRAhCyAJ9poiDHFskkQEP8n+FGuDMikhuEeACgssas
    tpRGotKaejnO3HNI8pdVRH4=
    =tjcW
    -----END PGP SIGNATURE-----



    Relevant Pages