From snsadv@lac.co.jp Tue Oct 30 12:47:28 2001 From: "snsadv@lac.co.jp" To: bugtraq@securityfocus.com Date: Tue, 30 Oct 2001 17:54:40 +0900 Subject: [SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability ---------------------------------------------------------------------- SNS Advisory No.46 IBM AIX dtprintinfo Buffer Overflow Vulnerability Problem first discovered: Fri, 05 Oct 2001 Published: Tue, 30 Oct 2001 ---------------------------------------------------------------------- Overview: --------- A buffer overflow vulnerability was found in /usr/dt/bin/dtprintinfo program attached to IBM AIX. Local malicious users could execute arbitrary codes with root privileges. Problem Description: -------------------- dtprintinfo included with IBM AIX is a program for opening the CDE Print Manager window. This program is normally installed as SUID root. "-session" option can be used in dtprintinfo to put client back to its original desktop state by loading session file. If a designated session filename is an unusually long string of characters, dtprintinfo will result in buffer overflow. Properly exploited, a local malicious attacker could execute arbitrary codes with root privileges. Tested OS: ---------- IBM AIX 4.3.3 Solution: --------- This security issue was previously reported to IBM Co. IBM released an advisory including an EMERGENCY FIX (efix) on October 29. ftp://aix.software.ibm.com/aix/efixes/security/CDE_libDtSvc_efix.tar.Z Additionally, the Official Fix will be made available soon. Workarounds: ------------ The following is a workaround to minimize the impact of this problem. * Remove SUID bit from dtprintinfo. Discovered by: -------------- Noboru Yoshinaga (LAC) yosinaga@lac.co.jp ARAI Yuu (LAC) y.arai@lac.co.jp Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory(in preparation now): http://www.lac.co.jp/security/english/snsadv_e/46_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory Computer Security Laboratory, LAC http://www.lac.co.jp/security/