IBM AIX Pioout Arbitrary Library Loading Code Execution Vulnerability

Bugtraq ID:	25084
Class:	Design Error
CVE:	CVE-2007-4003
Remote:	No
Local:	Yes
Published:	Jul 26 2007 12:00AM
Updated:	Jul 27 2007 10:15AM
Credit:	The discoverer of this issue wishes to remain anonymous.
Vulnerable:	IBM AIX 5.3 IBM AIX 5.2
Not Vulnerable:

IBM AIX Pioout Arbitrary Library Loading Code Execution Vulnerability

IBM AIX is prone to a vulnerability that allows attackers to execute arbitrary code with superuser privileges. This is due to insecure permissions shared libraries.

Successful attacks will completely compromise affected computers.

IBM AIX Pioout Arbitrary Library Loading Code Execution Vulnerability

Attackers can exploit this issue by loading a shared library containing arbitrary commands.

A proof-of-concept is available:

• /data/vulnerabilities/exploits/aix_pioout_poc.sh

IBM AIX Pioout Arbitrary Library Loading Code Execution Vulnerability

Solution:
The vendor released an advisory and an interim fix to address this issue. The vendor plans to released APAR fixes on 10/31/2007 and 08/08/2007, however, these dates may change. Please see the references for further information.


IBM AIX 5.2

• IBM pioout_ifix.tar.Z
  ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar.Z

IBM AIX 5.3

• IBM pioout_ifix.tar.Z
  ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar.Z

IBM AIX Pioout Arbitrary Library Loading Code Execution Vulnerability

References:

• AIX Homepage (IBM)
  
• iDefense Security Advisory 07.26.07: IBM AIX pioout Arbitrary Library Loading V (iDefense Labs)
  
• iDefense Security Advisory 07.26.07: IBM AIX pioout Arbitrary (iDefense Labs)