NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2004-q1

Re: aix __ bos.rte.printers __ format string vulnerability

From: Jose Carlos Luna Duran (lunaaditel.org)
Date: Thu Jan 08 2004 - 03:37:28 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This was supposedly corrected last year, specifically for AIX 4.3.3.0 in
APAR IY42089 ( CVE: CAN-2003-0257 )

Original IBM report:
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2003.0660.1

Besides, the latest version of the package bos.rte.printers I think it is
4.3.3.81

Best Regards,

En Mon Jan 05, 2004 at 02:07:09PM +0300, Sergey Kuprin <Sergey.Kuprinwarehouse.ru> escribio:
> there is a local (and possibly remote) format string vulnerability in
> package bos.rte.printers.
> feeding /usr/bin/enq with arguments containing formatstring characters it
> can result in seg_fault.
> the research of this problem with acknowledgements of exact arguments and
> configuration types
> wasn't done.
>
> the enq utility is a part of qdaemon printing system. it can be called in
> different cases.
> so in special cases it is possible to force pass formatstring via print
> queue. it isn't checked on
> practice.
>
> as enq-utility on most systems have suid-flag, we can gain privileges of
> owner (typicaly root).
>
> as mentioned we have local and remote formatstring bug with ability to gain
> root privileges.
>
> to prove local vulnerabily we must have permissions to execute enq and
> construct formatstring
> which executes our code. to prove remote vulnerabily the closer view and
> investigation is needed.
>
> (rufffirst) /home/ruff> oslevel
> 4.3.3.0
> (rufffirst) /home/ruff> ls -alF /usr/bin/enq
> -r-sr-sr-x 1 root printq 69980 Apr 20 2001 /usr/bin/enq*
>
> (rufffirst) /home/ruff> lslpp -h bos.rte.printers
> Fileset Level Action Status Date Time
>
> ----------------------------------------------------------------------------
> Path: /usr/lib/objrepos
> bos.rte.printers
> 4.3.3.75 COMMIT COMPLETE 10/25/03 22:50:17
>
> Path: /etc/objrepos
> bos.rte.printers
> 4.3.3.75 COMMIT COMPLETE 10/25/03 22:50:17
>
> (rufffirst) /home/ruff> enq -P%08x%08x%08x%08x%08x%08x
> enq: (FATAL ERROR): Bad queue or device name:
> 2ff20dae0000000000000000000000000000000100808080.
> (rufffirst) /home/ruff> enq -P%n%n
> enq: (FATAL ERROR): Bad queue or device name: Segmentation fault
> (rufffirst) /home/ruff>
>
>
>
>

--
Jose Carlos Luna Duran UJI
lunaaditel.org / Jose.Carlos.Lunacern.ch
Office Tel. +41 22 76 71880

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]