____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2005-0005 Release Date: 06/06/2005 Title: IBM AIX getlvname Commandline Argument Overflow Application/OS: AIX 5.3 getlvname Topic: Overflow in getlvname commandline argument Vendor Status: Not Notified Attributes: Local, Buffer Overflow Advisory URL: http://www.caughq.org/advisories/CAU-2005-0005.txt Author/Email: intropy ===============/======================================================== Overview ======== A buffer overflow exists in the handling of the commandline arguments to getlvname. When parsing and concatenating the supplied arguments a length parameter is not checked and a typical overflow occurs. Impact ====== The program runs as suid root. However system group rights are required to execute. While exploitation is probable the impact is very low due to the needed privileges Affected Systems ================ AIX 5.3 (although others are likely vulnerable) Technical Explanation ===================== getlvname is included with the bos.rte.lvm fileset used for managing logical volumes. When supplied an argument that is too long an overflow occurs. Program received signal SIGSEGV, Segmentation fault. 0xd023455c in getenv () from /usr/lib/libc.a(shr.o) 3: /x $r30 = 0x41414141 2: x/i $lr 0xd024659c: nop 1: x/i $pc 0xd023455c: lbz r6,0(r30) Solution & Recommendations ========================== Ask IBM for a patch. Exploitation ============ Not available References ========== Credits & Gr33ts ================ CAU