____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2005-0004 Release Date: 06/06/2005 Title: IBM AIX diagTasksWebSM Commandline Argument Overflow Application/OS: AIX 5.3 diagTasksWebSM Topic: Overflow in diagTasksWebSM commandline argument Vendor Status: Not Notified Attributes: Local, Buffer Overflow Advisory URL: http://www.caughq.org/advisories/CAU-2005-0004.txt Author/Email: intropy ===============/======================================================== Overview ======== A buffer overflow exists in the handling of the commandline arguments to diagTasksWebSM. When parsing and concatenating the supplied arguments a length parameter is not checked and a typical overflow occurs. Impact ====== The program runs as suid root. However system group rights are required to execute. While exploitation is probable the impact is very low due to the needed privileges Affected Systems ================ AIX 5.3 (although others are likely vulnerable) Technical Explanation ===================== diagTasksWebSM is included with the bos.diag.rte fileset used for hardware diagnostics. When supplied an argument that is too long an overflow occurs. Program received signal SIGSEGV, Segmentation fault. 0xd00a3e68 in verify_class_structure () from /usr/lib/libodm.a(shr.o) 4: /x $r1 = 0x2ff221e0 9: /x $r31 = 0x41414141 3: x/i $lr 0xd00a3e38: nop 1: x/i $pc 0xd00a3e68: lwz r0,0(r31) Solution & Recommendations ========================== Ask IBM for a patch. Exploitation ============ Not available References ========== Credits & Gr33ts ================ CAU