IBM AIX dump_smutil.sh Symlink Privilege Escalation
Local Access Required
Loss of Integrity
IBM AIX contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when the shell script dump_smutil.sh makes use of a file in /tmp which can point to critical system files. It is possible that the flaw may allow any file to be overwritten resulting in a loss of integrity.
Upgrade to version 4.3.3 (APAR IY34617), 5.1.0 (APAR IY33055), or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
IBM has reported that the AIX dump_smutil.sh utility may be prone to symlink attacks due to insecure temporary file creation. The precise details regarding this issue are currently unknown, however it is likely that during a specific operation the affected utility places a filename in a world accessible directory using a predictable name. As a result, an attacker may be capable of overwriting an arbitrary system file with the privileges of the utility.
This issue can be exploited through the creation of a malicious symbolic link.
IBM has released APAR number IY34617 for AIX 4.3.3 and APAR number IY33055 for AIX 5.1.0 to address this issue. Customers are advised to read the referenced advisories for further information pertaining to obtaining and applying an appropriate APAR.