____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory 

===============/========================================================
Advisory ID:    CAU-2005-0002
Release Date:   06/06/2005
Title:          IBM AIX invscout Commandline Argument Overflow 
Application/OS: AIX 5.3 invscout
Topic:          Overflow in invscout commandline argument
Vendor Status:  Not Notified
Attributes:     Local, Buffer Overflow
Advisory URL:   http://www.caughq.org/advisories/CAU-2005-0002.txt
Author/Email:   intropy <intropy (at) caughq.org> 
===============/========================================================

Overview
========

A buffer overflow exists in the handling of the commandline arguments to
invscout.  When parsing and concatenating the supplied arguments a
typical overflow occurs.


Impact
======

The program runs as suid root.  Exploitation is probable leading to
super-user rights.


Affected Systems
================

AIX 5.3 (although others are likely vulnerable)

I did not check if APAR IY64820 fixed this.


Technical Explanation
=====================

This problem was not mentioned in the i-defense advisory concerning
invscout. This relates to the commandline arguments and not environment
variables.  When invscout tries to parse the command line it loads the
contents into a general register.  Since no length is specified an
overflow occurs.

GNU gdb 6.0
Starting program: /usr/sbin/invscout `perl -e 'print "A" x 1024;'`

Program received signal SIGSEGV, Segmentation fault.
0x100016a0 in PrComLin (GenrlPar=0x41414141)
    at ../../../../../../../src/bos/usr/sbin/invscout/main_build/Initialz.c:280
(gdb) bt 
#0  0x100016a0 in PrComLin (GenrlPar=0x41414141)
    at ../../../../../../../src/bos/usr/sbin/invscout/main_build/Initialz.c:280
#1  0x41414141 in ?? ()
(gdb) 
0x100016a0 <PrComLin+124>:      lwzx    r4,r3,r4


Solution & Recommendations
==========================

Ask IBM for a patch.


Exploitation
============

Not Available.


References
==========

i-defense invscout advisory
http://www.idefense.com/application/poi/display?id=171&type=
vulnerabilities&lashstatus=true


Credits & Gr33ts
================

CAU