AIX xdat overflow

Description:Typical buffer overflow, this time with $TZ in AIX's xdat program
Compromise: root (local)
Vulnerable Systems:AIX 4.1, 4.2
Date:22 October 1997

Date: Wed, 22 Oct 1997 11:18:20 -0500
From: Aleph One <aleph1@DFW.NET>
Subject: Buffer overflow in the IBM AIX "xdat" command


VULNERABILITY:  Buffer overflow in the IBM AIX "xdat" command

PLATFORMS:      IBM AIX(r) 4.1, 4.2

SOLUTION:       Remove the setuid bit or apply one of the fixes below

THREAT:         Local users may become root


I. Description

The "xdat" command shipped with AIX version 4 does not check the length of the
"TZ" environment variable.  This command was not shipped with AIX 3.2.

II. Impact

Local users may become root.

III. Solutions

  A.  How to alleviate the problem

      This problem can be alleviated by removing the set-user-id bit from the
      "xdat" program.  To do this, execute the following command as "root":

          chmod 555 /usr/lpp/X11/bin/xdat

  B.  Official fix

      IBM is currently working on the following APARs but they are not yet

      AIX 4.1:  IX72020
      AIX 4.2:  IX72021

  C.  Temporary fixes

      A temporary fix is available via anonymous ftp from:

      Filename      sum               md5
      xdat          44047    74       33bcec8bbc7d8eb2e4e2ae760d2b986e

      Use the following steps (as root) to install the temporary fix:

      1.  Uncompress and extract the fix:

        # uncompress < security.xdat.tar.Z | tar xf -

      2.  Use the "" script or the following manual commands:

        # pgp xdat/xdat.pgp xdat/xdat
        # cp /usr/lpp/X11/bin/xdat /usr/lpp/X11/bin/xdat.orig
        # chmod -s /usr/lpp/X11/bin/xdat.orig
        # cp xdat/xdat /usr/lpp/X11/bin/xdat
        # chmod 4555 /usr/lpp/X11/bin/xdat

      This fix has not been fully regression tested but does prevent the TZ
      environment variable exploit.  If the new executable fails to load due
      to missing symbols, the following APARs may help to resolve the

         AIX 4.1:  IX69580
         AIX 4.2:  IX69180


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: