Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: aix __ bos.rte.printers __ format string vulnerability

From: Jose Carlos Luna Duran <luna () aditel org>
Date: Thu, 8 Jan 2004 10:37:28 +0100
This was supposedly corrected last year, specifically for AIX 4.3.3.0 in 
APAR IY42089 ( CVE: CAN-2003-0257 )

Original IBM report:
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2003.0660.1

Besides, the latest version of the package bos.rte.printers I think it is
4.3.3.81

Best Regards,

En Mon Jan 05, 2004 at 02:07:09PM +0300, Sergey Kuprin <Sergey.Kuprin () warehouse ru> escribio:

there is a local (and possibly remote) format string vulnerability in
package bos.rte.printers.
feeding /usr/bin/enq with arguments containing formatstring characters it
can result in seg_fault.
the research of this problem with acknowledgements of exact arguments and
configuration types
wasn't done.

the enq utility is a part of qdaemon printing system. it can be called in
different cases.
so in special cases it is possible to force pass formatstring via print
queue. it isn't checked on
practice.

as enq-utility on most systems have suid-flag, we can gain privileges of
owner (typicaly root).

as mentioned we have local and remote formatstring bug with ability to gain
root privileges.

to prove local vulnerabily we must have permissions to execute enq and
construct formatstring
which executes our code. to prove remote vulnerabily the closer view and
investigation is needed.

(ruff@first) /home/ruff> oslevel
4.3.3.0
(ruff@first) /home/ruff> ls -alF /usr/bin/enq
-r-sr-sr-x   1 root     printq     69980 Apr 20 2001  /usr/bin/enq*

(ruff@first) /home/ruff> lslpp -h bos.rte.printers
  Fileset         Level     Action       Status       Date         Time

----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.rte.printers
                 4.3.3.75   COMMIT       COMPLETE     10/25/03     22:50:17

Path: /etc/objrepos
  bos.rte.printers
                 4.3.3.75   COMMIT       COMPLETE     10/25/03     22:50:17

(ruff@first) /home/ruff> enq -P%08x%08x%08x%08x%08x%08x
enq: (FATAL ERROR): Bad queue or device name:
2ff20dae0000000000000000000000000000000100808080.
(ruff@first) /home/ruff> enq -P%n%n
enq: (FATAL ERROR): Bad queue or device name: Segmentation fault
(ruff@first) /home/ruff>






-- 
Jose Carlos Luna Duran  @ UJI
luna () aditel org / Jose.Carlos.Luna () cern ch
Office Tel. +41 22 76 71880
Previous By Date Next
Previous By Thread Next

Current thread: