IBM AIX Capture Command Local Stack Based Buffer Overflow Vulnerability

Bugtraq ID:	25075
Class:	Boundary Condition Error
CVE:	CVE-2007-3333
Remote:	No
Local:	Yes
Published:	Jul 26 2007 12:00AM
Updated:	Sep 19 2007 04:20PM
Credit:	An anonymous contributer to iDefense Labs is credited with the discovery of this issue.
Vulnerable:	IBM AIX 5.3 IBM AIX 5.2
Not Vulnerable:

IBM AIX Capture Command Local Stack Based Buffer Overflow Vulnerability

IBM AIX is prone to a local, stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input to a program that is installed setuid-superuser.

Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Failed attacks will likely cause denial-of-service conditions.

IBM AIX Capture Command Local Stack Based Buffer Overflow Vulnerability

Exploit code is available:

• /data/vulnerabilities/exploits/aix_capture_exp.c

IBM AIX Capture Command Local Stack Based Buffer Overflow Vulnerability

Solution:
The vendor has released an advisory and interim fixes to address this issue. IBM plans to release APAR fixes on 10/31/2007 and 11/27/2007, but these dates may change. Please see the references for more information.


IBM AIX 5.2

• IBM capture_ifix.tar.Z
  ftp://aix.software.ibm.com/aix/efixes/security/capture_ifix.tar.Z

IBM AIX 5.3

• IBM capture_ifix.tar.Z
  ftp://aix.software.ibm.com/aix/efixes/security/capture_ifix.tar.Z

IBM AIX Capture Command Local Stack Based Buffer Overflow Vulnerability

References:

• AIX Fixes (IBM)
  
• AIX Homepage (IBM)
  
• iDefense Security Advisory 07.26.07: IBM AIX capture Terminal Control Sequence B (iDefense Labs)
  
• AIX capture Terminal Control Sequence Stack Buffer Overflow Vulnerability (IBM)
  
• IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability (iDefense Labs)