TITLE: AIX Multiple Privilege Escalation Vulnerabilities SECUNIA ADVISORY ID: SA18088 VERIFY ADVISORY: http://secunia.com/advisories/18088/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system OPERATING SYSTEM: AIX 5.x http://secunia.com/product/213/ DESCRIPTION: David Litchfield has reported some vulnerabilities in AIX, which can be exploited by malicious, local users to gain escalated privileges. 1) An unspecified boundary error exists in the suid root "slocal" binary. This can be exploited to cause a buffer overflow, which potentially allows arbitrary code execution with root privileges. 2) An unspecified boundary error exists in the suid root "muxatmd" binary. This can be exploited to cause a buffer overflow, which potentially allows arbitrary code execution with root privileges. 3) An unspecified input validation error exists in the suid root "getShell" and "getCommand" utilities in the WebSM component. This can be exploited to overwrite arbitrary files on the filesystem. 4) An unspecified boundary error in the malloc debug system can be exploited to gain root privileges. The vulnerabilities have been reported in AIX 5.1, 5.2 and 5.3. SOLUTION: Apply APARs or Interim Fix for vulnerability #1 and #2. http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html APAR for AIX 5.1: IY78224 (available approx. 2006-01-30) IY78221 (available approx. 2006-01-30) APAR for AIX 5.2: IY78225 (available approx. 2006-01-30) IY78222 (available approx. 2006-01-30) APAR for AIX 5.3: IY78226 (available approx. 2006-01-30) IY78223 (available approx. 2006-01-30) Interim Fixes: ftp://aix.software.ibm.com/aix/efixes/security/slocal_ifix.tar.Z ftp://aix.software.ibm.com/aix/efixes/security/libisode_ifix.tar.Z PROVIDED AND/OR DISCOVERED BY: David Litchfield, NGSSoftware. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------