Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: Various Flavours :: aixxdatv.txt

AIX xdat overflow





Date: Wed, 22 Oct 1997 11:18:20 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Buffer overflow in the IBM AIX "xdat" command

===============================================================================
===============================================================================

VULNERABILITY:  Buffer overflow in the IBM AIX "xdat" command

PLATFORMS:      IBM AIX(r) 4.1, 4.2

SOLUTION:       Remove the setuid bit or apply one of the fixes below

THREAT:         Local users may become root

===============================================================================

I. Description

The "xdat" command shipped with AIX version 4 does not check the length of the
"TZ" environment variable.  This command was not shipped with AIX 3.2.

II. Impact

Local users may become root.

III. Solutions

  A.  How to alleviate the problem

      This problem can be alleviated by removing the set-user-id bit from the
      "xdat" program.  To do this, execute the following command as "root":

          chmod 555 /usr/lpp/X11/bin/xdat

  B.  Official fix

      IBM is currently working on the following APARs but they are not yet
      available.

      AIX 4.1:  IX72020
      AIX 4.2:  IX72021

  C.  Temporary fixes

      A temporary fix is available via anonymous ftp from:

        ftp://testcase.software.ibm.com/aix/fromibm/security.xdat.tar.Z

      Filename      sum               md5
      =================================================================
      xdat          44047    74       33bcec8bbc7d8eb2e4e2ae760d2b986e

      Use the following steps (as root) to install the temporary fix:

      1.  Uncompress and extract the fix:

        # uncompress < security.xdat.tar.Z | tar xf -

      2.  Use the "xdat_patch.sh" script or the following manual commands:

        # pgp xdat/xdat.pgp xdat/xdat
        # cp /usr/lpp/X11/bin/xdat /usr/lpp/X11/bin/xdat.orig
        # chmod -s /usr/lpp/X11/bin/xdat.orig
        # cp xdat/xdat /usr/lpp/X11/bin/xdat
        # chmod 4555 /usr/lpp/X11/bin/xdat

      This fix has not been fully regression tested but does prevent the TZ
      environment variable exploit.  If the new executable fails to load due
      to missing symbols, the following APARs may help to resolve the
      prerequisites:

         AIX 4.1:  IX69580
         AIX 4.2:  IX69180

===============================================================================


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH