AIX xdat overflow

Summary

Description:	Typical buffer overflow, this time with $TZ in AIX's xdat program
Author:	Unknown
Compromise:	root (local)
Vulnerable Systems:	AIX 4.1, 4.2
Date:	22 October 1997

Details


Date: Wed, 22 Oct 1997 11:18:20 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Buffer overflow in the IBM AIX "xdat" command

===============================================================================
===============================================================================

VULNERABILITY:  Buffer overflow in the IBM AIX "xdat" command

PLATFORMS:      IBM AIX(r) 4.1, 4.2

SOLUTION:       Remove the setuid bit or apply one of the fixes below

THREAT:         Local users may become root

===============================================================================

I. Description

The "xdat" command shipped with AIX version 4 does not check the length of the
"TZ" environment variable.  This command was not shipped with AIX 3.2.

II. Impact

Local users may become root.

III. Solutions

  A.  How to alleviate the problem

      This problem can be alleviated by removing the set-user-id bit from the
      "xdat" program.  To do this, execute the following command as "root":

          chmod 555 /usr/lpp/X11/bin/xdat

  B.  Official fix

      IBM is currently working on the following APARs but they are not yet
      available.

      AIX 4.1:  IX72020
      AIX 4.2:  IX72021

  C.  Temporary fixes

      A temporary fix is available via anonymous ftp from:

        ftp://testcase.software.ibm.com/aix/fromibm/security.xdat.tar.Z

      Filename      sum               md5
      =================================================================
      xdat          44047    74       33bcec8bbc7d8eb2e4e2ae760d2b986e

      Use the following steps (as root) to install the temporary fix:

      1.  Uncompress and extract the fix:

        # uncompress < security.xdat.tar.Z | tar xf -

      2.  Use the "xdat_patch.sh" script or the following manual commands:

        # pgp xdat/xdat.pgp xdat/xdat
        # cp /usr/lpp/X11/bin/xdat /usr/lpp/X11/bin/xdat.orig
        # chmod -s /usr/lpp/X11/bin/xdat.orig
        # cp xdat/xdat /usr/lpp/X11/bin/xdat
        # chmod 4555 /usr/lpp/X11/bin/xdat

      This fix has not been fully regression tested but does prevent the TZ
      environment variable exploit.  If the new executable fails to load due
      to missing symbols, the following APARs may help to resolve the
      prerequisites:

         AIX 4.1:  IX69580
         AIX 4.2:  IX69180

===============================================================================

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: