发布时间 :2003-10-06 00:00:00
修订时间 :2008-09-10 15:20:25

[原文]Format string vulnerability in tsm for the fileset on AIX 5.2 allows remote attackers to gain root privileges via login, and local users to gain privileges via login, su, or passwd, with a username that contains format string specifiers.

[CNNVD]IBM AIX tsm本地缓冲区溢出漏洞(CNNVD-200310-013)

        IBM AIX是一款商业性质UNIX操作系统。
        IBM AIX中包含的tsm工具正确处理调用参数,本地攻击者可以利用这个漏洞进行格式字符串攻击,可能获得root用户权限。
        IBM AIX tsm实现存在格式字符串问题,可导致破坏堆栈内存,精心构建参数数据可能以root用户权限在系统上执行任意指令。由于AIX系统上多个软件使用tsm工具实现,如login、su和passwd等,结合各种方法可以导致攻击者获得root用户权限。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

IBM AIX tsm本地缓冲区溢出漏洞
危急 设计错误
2003-10-06 00:00:00 2005-10-20 00:00:00
        IBM AIX是一款商业性质UNIX操作系统。
        IBM AIX中包含的tsm工具正确处理调用参数,本地攻击者可以利用这个漏洞进行格式字符串攻击,可能获得root用户权限。
        IBM AIX tsm实现存在格式字符串问题,可导致破坏堆栈内存,精心构建参数数据可能以root用户权限在系统上执行任意指令。由于AIX系统上多个软件使用tsm工具实现,如login、su和passwd等,结合各种方法可以导致攻击者获得root用户权限。

- 公告与补丁


- 漏洞信息

IBM AIX tsm Format String Privilege Escalation
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

IBM AIX contains a format string vulnerability in tsm fileset that may allow a remote user to gain root privileges via login, and local users to gain privileges via login, su, or passwd. The issue is triggered when a username that contains format string specifiers is used. It is possible that the flaw may allow privilege escalation resulting in a loss of integrity.

- 时间线

2003-09-19 Unknow
Unknow Unknow

- 解决方案

Upgrade AIX using the APAR numbers AIX 5.2.0: IY47764 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Setting the password prompt in /etc/security/login.cfg to a predefined value for example pwdprompt = "Password: "

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IBM AIX tsm Utility Local Format String Vulnerability
Design Error 8648
No Yes
2003-09-18 12:00:00 2009-07-11 11:56:00
This vulnerability was announced by IBM in a security advisory.

- 受影响的程序版本

IBM AIX 4.3.3

- 漏洞讨论

A format string vulnerability has been discovered in the IBM AIX tsm command which may allow for local or remote root exploitation. Due to a variety of software implementing the use of the tsm utility on AIX systems, such as login, su, and passwd, a local attacker may be capable of exploiting this issue through a variety of methods. Successful exploitation will ultimately allow for an attacker to gain root privileges.

Only IBM AIX 5.2 appears to be affected by the issue.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

A fix has been released by IBM.


- 相关参考