OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1996: lquerypv fix

lquerypv fix

Troy Bollinger (troyaustin.ibm.com)
Mon, 25 Nov 1996 09:51:08 -0600 

Hi,
IBM is working on a permanent fix to this problem.  In the meantime,
system administrators can close this security window with the e-fix
of:

chmod -s /usr/sbin/lquerypv

This should not affect the basic behavior of
the LVM high level commands that call lquerypv.

Yes, the lquery* commands have the setuid issue
but only the "-h" option, which was placed there to
help with problem diagnostics, would constitute
a security problem.

The apars which will fix this problem are:

4.1 - ix64203
4.2 - ix64204

We apologize for the inconvenience and ask you
to use the e-fix method until the apars are available
for ordering.

Aleph One wrote:
>
>    There may exists a vulnerability in the lquerypv command under AIX.
> I'am not sure what version yet. Please try to fallowing command:
>
> /usr/sbin/lquerypv -h /etc/security/passwd
>
>    You can substitute /etc/security/passwd for any other unreadable file.
> If the program is able to dump the file (maybe in hex) you got a problem.
> Please email me what version of AIX you are running, patch level, and if
> you are vulnerable. I will summarize the resuls and post them to the list.
>
> Aleph One / aleph1dfw.net
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
>


--
+----------------  I do not speak for IBM!  ------------------+
|Troy Bollinger             |      email:  troyaustin.ibm.com|
|AIX Security Development   | Sometimes the old ways are best.|
+-------- AIX security bugs:  securityaustin.ibm.com --------+