____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory 

===============/========================================================
Advisory ID:    CAU-2005-0006
Release Date:   06/06/2005
Title:          IBM AIX p* Commandline Argument Overflow 
Application/OS: AIX 5.3 p* commands
Topic:          Overflow in several p* command arguments
Vendor Status:  Not Notified
Attributes:     Local, Heap Overflow
Advisory URL:   http://www.caughq.org/advisories/CAU-2005-0006.txt
Author/Email:   intropy <intropy (at) caughq.org> 
===============/========================================================

Overview
========

The following commands suffer from a heap overflow when parsing the
command line arguments.

/usr/sbin/penable
/usr/sbin/pdisable
/usr/sbin/pstart
/usr/sbin/phold
/usr/sbin/pdelay
/usr/sbin/pshare


Impact
======

The programs runs as suid root.  However system group rights are
required to execute.  While exploitation is probable the impact is very
low due to the needed privileges


Affected Systems
================

AIX 5.3 (although others are likely vulnerable)



Technical Explanation
=====================

All of the affected programs are included in the bos.rte.control fileset
installed with AIX. When supplied an argument that is too long an
overflow occurs. 

Program received signal SIGSEGV, Segmentation fault.
0xd022254c in leftmost () from /usr/lib/libc.a(shr.o)
7: /x $r7 = 0x41414141
6: /x $r6 = 0x41414141
5: /x $r5 = 0x41414141
4: /x $r0 = 0x41414141
3: x/i $lr  0xd02242c4: cmpwi   r3,0
1: x/i $pc  0xd022254c: lwz     r6,4(r7)

#0  0xd022254c in leftmost () from /usr/lib/libc.a(shr.o)
#1  0xd02242c4 in malloc_y () from /usr/lib/libc.a(shr.o)
#2  0xd0221998 in malloc_common_50_34 () from /usr/lib/libc.a(shr.o)
#3  0xd02217ec in malloc () from /usr/lib/libc.a(shr.o)
#4  0xd022ee94 in _findbuf () from /usr/lib/libc.a(shr.o)
#5  0xd02337b4 in __filbuf () from /usr/lib/libc.a(shr.o)
#6  0xd02357c4 in fread_unlocked () from /usr/lib/libc.a(shr.o)
#7  0xd0235950 in fread () from /usr/lib/libc.a(shr.o)
#8  0xd0246e48 in _cat_do_open () from /usr/lib/libc.a(shr.o)
#9  0xd024edac in catgets () from /usr/lib/libc.a(shr.o)
#10 0x10002f70 in ?? ()


Solution & Recommendations
==========================

Ask IBM for a patch.


Exploitation
============

Not available


References
==========


Credits & Gr33ts
================

CAU