CVE-2003-0087
CVSS7.2
发布时间 :2003-03-03 00:00:00
修订时间 :2016-10-17 22:29:23
NMCOEPS    

[原文]Buffer overflow in libIM library (libIM.a) for National Language Support (NLS) on AIX 4.3 through 5.2 allows local users to gain privileges via several possible attack vectors, including a long -im argument to aixterm.


[CNNVD]IBM AIX libIM缓冲区溢出漏洞(CNNVD-200303-007)

        AIX 4.3到5.2版本下的National Language Support (NLS)的libIM library (libIM.a)存在缓冲区溢出漏洞。本地攻击者可以借助可能的几个攻击向量,包括aixterm的超长-im参数获取权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0087
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0087
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-007
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0066.html
(UNKNOWN)  VULNWATCH  20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a
http://marc.info/?l=bugtraq&m=104508375107938&w=2
(UNKNOWN)  BUGTRAQ  20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a
http://marc.info/?l=bugtraq&m=104508833214691&w=2
(UNKNOWN)  BUGTRAQ  20030212 libIM.a buffer overflow vulnerability
http://www-1.ibm.com/support/search.wss?rs=0&q=IY40307&apar=only
(UNKNOWN)  AIXAPAR  IY40307
http://www-1.ibm.com/support/search.wss?rs=0&q=IY40317&apar=only
(UNKNOWN)  AIXAPAR  IY40317
http://www-1.ibm.com/support/search.wss?rs=0&q=IY40320&apar=only
(UNKNOWN)  AIXAPAR  IY40320
http://www.idefense.com/advisory/02.12.03.txt
(VENDOR_ADVISORY)  MISC  http://www.idefense.com/advisory/02.12.03.txt
http://www.securityfocus.com/bid/6840
(UNKNOWN)  BID  6840
http://xforce.iss.net/xforce/xfdb/11309
(UNKNOWN)  XF  aix-aixterm-libim-bo(11309)

- 漏洞信息

IBM AIX libIM缓冲区溢出漏洞
高危 缓冲区溢出
2003-03-03 00:00:00 2005-05-13 00:00:00
本地  
        AIX 4.3到5.2版本下的National Language Support (NLS)的libIM library (libIM.a)存在缓冲区溢出漏洞。本地攻击者可以借助可能的几个攻击向量,包括aixterm的超长-im参数获取权限。

- 公告与补丁

        IBM has released an E-Fix containing fixes for IBM AIX 4.3.3, 5.1, and 5.2. It should be noted that releases prior to 4.3 are no longer supported by IBM and users are advised to upgrade their operating system when possible.
        Information regarding the release dates of the respective APAR files can be found in the attached IBM advisory.
        Fixes:
        National Language Support libIM
        

- 漏洞信息 (22249)

IBM AIX 4.3.3/5.1/5.2 libIM Buffer Overflow Vulnerability (EDBID:22249)
aix dos
2003-02-12 Verified
0 Euan Briggs
N/A [点击下载]
source: http://www.securityfocus.com/bid/6840/info

A buffer overflow vulnerability has been discovered in the libIM library available for the AIX 4.3, 5.1, 5.2 operating system. As a result it may be possible to overwrite sensitive memory in programs linked to the affected library. By identifying a linked application with the setuid bit applied, it may be possible to exploit this vulnerability to execute code with elevated privileges.

Under certain circumstances this issue may pose as a remote security threat. 

/usr/lpp/X11/bin/aixterm -im `perl -e 'print "A"x47; print pack("l",0x11223344)'`
		

- 漏洞信息 (F30818)

aix.libim.txt (PacketStormID:F30818)
2003-02-19 00:00:00
 
advisory,local,root
aix
CVE-2003-0087
[点击下载]

IBM Security Advisory - IBM AIX v4.3, 5.1, and 5.2 has a local root vulnerability in setuid applications linked with libIM.a. Fix available here.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Wed Feb 12 11:00:00 CST 2003

===========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      libIM.a buffer overflow vulnerability.

PLATFORMS:          AIX 4.3, 5.1 and 5.2

SOLUTION:           Apply the efix or APARs as described below.

THREAT:             A local attacker can exploit a buffer overflow
                    vulnerability to execute arbitrary code.

CERT VU Number:     n/a

CAN Number:         CAN-2003-0087
===========================================================================
                           DETAILED INFORMATION


I.  Description
===============

AIX provides support for National Language Support (NLS). Many AIX
applications support a variety of languages. Users may determine
which language an application uses via command line arguments or,
as is more often the case, via environment variables.

A buffer overflow vulnerability has been found in a system library
used by NLS, libIM, that allows a local attacker to execute arbitrary code
with the privileges of the application that calls the library.


II. Impact
==========

A local attacker can execute arbitrary code with the privileges of the
application using libIM. If the application is setuid root, an attacker will
be able to execute arbitrary code with root privileges.


III.  Solutions
===============

A. Official Fix
IBM provides the following fixes:

      APAR number for AIX 4.3.3: IY40307 (available approx. 03/12/2003)
      APAR number for AIX 5.1.0: IY40317 (available approx. 04/28/2003)
      APAR number for AIX 5.2.0: IY40320 (available approx. 04/28/2003)

NOTE: Fixes will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3 or 5.1.0 at the latest maintenance level.

B. E-fix
Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are available.

The temporary fixes can be downloaded via ftp from:

     ftp://aix.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z

The efix compressed tarball contains three fixes: one each for
AIX 4.3.3, AIX 5.1.0 and AIX 5.2.0. It also includes this advisory
and a README file with installation instructions.

Verify you have retrieved this efix intact:
- ---------------------------------------------

There are 3 fix-files in this package for the 4.3.3, 5.1.0, 5.2.0
releases. The checksums below were generated using the "sum" and
"md5" commands and are as follows:

Filename       sum            md5
=================================================================
libIM.a.433    22101    67    16f015c19f72671859eb88823d3640f5
libIM.a.510    41339    66    79c64e9e73de01cc0b4b0220fa8eb557
libIM.a.520    18991    65    e0ca1983b358007b5ea277972838b952

These sums should match exactly; if they do not, double check the
command results and the download site address. If those are OK,
contact IBM AIX Security at security-alert@austin.ibm.com and describe
the discrepancy.

IMPORTANT: Create a mksysb backup of the system and verify it is
both bootable, and readable before proceeding.

These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.

Efix Installation Instructions:
- -----------------------------------
Detailed installation instructions can be found in the README file
supplied in the efix package. These instructions are summarized below.

You need to have the following filesets installed:

For AIX 4.3.3:
bos.rte.im.4.3.3.76

For AIX 5.1.0:
bos.rte.im.5.1.0.35

For AIX 5.2.0:
bos.rte.im.5.2.0.0

You can determine which fileset is installed by executing
the following:

   # lslpp -L bos.rte.im

If bos.rte.im is not installed, the system is not vulnerable.

1. Create a temporary efix directory and move to that directory.
   # mkdir /tmp/efix
   # cd /tmp/efix

2. Uncompress the efix and un-tar the resulting tarfile. Move to the
   fix directory. This step assumes the compressed efix tarball is in
   /tmp/efix.
   # uncompress libIM_efix.tar.Z
   # tar xvf libIM_efix.tar
   # cd libIM_efix

3. Rename the patched binary files appropriate for your system and set
   ownership and permissions.
   # mv libIM.a.xxx libIM.a      # where xxx is 433, 510 or 520
   # chown bin.bin libIM.a
   # chmod 444 libIM.a

4. Test the efix. This step is strongly recommended but not required.

   a. Export the environment variable LIBPATH to point to the new
      copy of libIM.a.
      # export LIBPATH=/tmp/efix/libIM_efix

   b. Execute aixterm since it uses libIM.
      # slibclean
      # aixterm

      Note: To launch aixterm, the machine being patched must be able
      to connect to a X Server so that it can display the aixterm
      window.

   c. If aixterm did not start, execute the following command
      and discontinue installation of this efix:
      # unset LIBPATH

      This will allow your system to use the original libIM.a.

5. Install the efix.
   a. Create a backup copy of original binary. Remove all
      permissions from the backup copy.
      # cd /usr/ccs/lib/
      # cp libIM.a libIM.a.orig
      # chmod 0 libIM.a.orig

   b. Export the environment variable LIBPATH to point to the new
      copy of libIM.a. This is very important because it will allow
      your system to locate a copy of libIM.a if needed during the
      patch process.
      # export LIBPATH=/tmp/efix/libIM_efix

   c. Remove the original library.
      # rm /usr/ccs/lib/libIM.a

   d. Replace the current system library with the patched versions.
      Use the -p option to preserve the file permissions set in
      step 3.
      # cp -p /tmp/efix/libIM_efix/libIM.a /usr/ccs/lib/libIM.a

   e. Unset the LIBPATH environment variable.
      # unset LIBPATH

6. Remove any copies of the old libIM.a from memory.
   # slibclean


IV. Obtaining Fixes
===================

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information
on FixDist, and to obtain fixes via the Internet, please reference

        http://techsupport.services.ibm.com/rs6k/fixes.html

or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.

AIX APARs may also be downloaded from the web from the following URLs.

For 4.3.3 APARs:
          http://techsupport.services.ibm.com/rs6k/fixdb.html

For 5.1.0 APARs:
          http://techsupport.services.ibm.com/server/aix.fdc

For 5.2.0 APARs:
          http://techsupport.services.ibm.com/server/aix.fdc

To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.


V. Acknowledgments
==================

The AIX Security Team would like to thank iDEFENSE for bringing this issue
to our attention.

This document was written by Shiva Persaud.


VI.  Contact Information
========================

Comments regarding the content of this announcement can be directed to:

   security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".

If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".

IBM and AIX are a registered trademark of International Business
Machines Corporation.  All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (AIX)

iD8DBQE+SXgmcnMXzUg7txIRAhCyAJ9poiDHFskkQEP8n+FGuDMikhuEeACgssas
tpRGotKaejnO3HNI8pdVRH4=
=tjcW
-----END PGP SIGNATURE-----

    

- 漏洞信息

7996
IBM AIX libIM Library for NLS Multiple Vector Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A local overflow exists in IBM AIX library libIM. The library functions fails to validate input using the input methods "im" parameter resulting in a buffer overflow. With a specially crafted request to applications using this library, an attacker can cause execution of code resulting in a loss of integrity.

- 时间线

2003-02-12 Unknow
2003-02-12 2003-02-11

- 解决方案

Upgrade AIX using the patch numbers AIX 4.3.3: APAR IY40307, AIX 5.1: APAR IY40317 and AIX 5.2:   APAR IY40320 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

IBM AIX libIM Buffer Overflow Vulnerability
Boundary Condition Error 6840
No Yes
2003-02-12 12:00:00 2009-07-11 08:06:00
The discovery of this issue has been credited to Euan Briggs <euan_briggs@btinternet.com>.

- 受影响的程序版本

National Language Support libIM
+ IBM AIX 4.3.3
+ IBM AIX 5.2
+ IBM AIX 5.1

- 漏洞讨论

A buffer overflow vulnerability has been discovered in the libIM library available for the AIX 4.3, 5.1, 5.2 operating system. As a result it may be possible to overwrite sensitive memory in programs linked to the affected library. By identifying a linked application with the setuid bit applied, it may be possible to exploit this vulnerability to execute code with elevated privileges.

Under certain circumstances this issue may pose as a remote security threat.

- 漏洞利用

The following is a proof of concept which triggers this condition:

/usr/lpp/X11/bin/aixterm -im `perl -e 'print "A"x47; print pack("l",0x11223344)'`

An exploit has been made available. See References section for details.

- 解决方案

IBM has released an E-Fix containing fixes for IBM AIX 4.3.3, 5.1, and 5.2. It should be noted that releases prior to 4.3 are no longer supported by IBM and users are advised to upgrade their operating system when possible.

Information regarding the release dates of the respective APAR files can be found in the attached IBM advisory.

Fixes:


National Language Support libIM

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站