____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory 

===============/========================================================
Advisory ID:    CAU-2005-0007
Release Date:   06/06/2005
Title:          IBM AIX swcons Commandline Argument Overflow 
Application/OS: AIX 5.3 swcons
Topic:          Overflow in swcons commandline argument
Vendor Status:  Not Notified
Attributes:     Local, Buffer Overflow
Advisory URL:   http://www.caughq.org/advisories/CAU-2005-0007.txt
Author/Email:   intropy <intropy (at) caughq.org> 
===============/========================================================

Overview
========

A buffer overflow exists in the handling of the commandline arguments to
swcons.  When parsing and concatenating the supplied arguments a length
parameter is not checked and a typical overflow occurs.


Impact
======

The program runs as suid root.  However system group rights are required
to execute.  While exploitation is probable the impact is very low due
to the needed privileges


Affected Systems
================

AIX 5.3 (although others are likely vulnerable)



Technical Explanation
=====================

swcons is included with the bos.rte.console fileset installed with AIX.
When supplied an argument that is too long an overflow occurs. 

Program received signal SIGSEGV, Segmentation fault.
0xd023455c in getenv () from /usr/lib/libc.a(shr.o)
3: x/i $lr  0xd023371c: nop
2: x/i $pc  0xd023455c: lbz     r6,0(r30)
1: /x $r30 = 0x41414141

#0  0xd023455c in getenv () from /usr/lib/libc.a(shr.o)
#1  0xd023371c in __filbuf () from /usr/lib/libc.a(shr.o)
#2  0xd02357c4 in fread_unlocked () from /usr/lib/libc.a(shr.o)
#3  0xd0235950 in fread () from /usr/lib/libc.a(shr.o)
#4  0xd0246e48 in _cat_do_open () from /usr/lib/libc.a(shr.o)
#5  0xd024edac in catgets () from /usr/lib/libc.a(shr.o)
#6  0x10000760 in ?? ()



Solution & Recommendations
==========================

Ask IBM for a patch.


Exploitation
============

Not available


References
==========


Credits & Gr33ts
================

CAU