Bugtraq mailing list archives
AIX bugfiler
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 9 Sep 1997 09:22:04 -0500
---------- Forwarded message ---------- Date: Mon, 8 Sep 1997 15:55:43 +0200 From: Johannes Schwabe <schwabe () rzaix530 rz uni-leipzig de> To: best-of-security () cyber com au Subject: BoS: AIX bugfiler ------------------------------------------------------------------------ bugfiler vulnerability September 1997 ------------------------------------------------------------------------ Systems Affected: Certain AIX machines. Others: unknown. (Vulnerability seen on AIX 3.* systems; no AIX 4.* machine inspected exhibited the flaw; all AIX 3.* machines inspected were vulnerable; very limited sample size though) Description: bugfiler (/lib/bugfiler) is SUID root. Impact: Local users can circumvent file access restrictions, leading to increased privileges. Depending on the installation of the system, root privileges may be gained. Exploit: $whoami eviluser $/lib/bugfiler -b <user> <directory> creates funny files under the <user>-owned <directory> and that may be used by crackers to increase privileges. See the manpage of bugfiler for more information. (bugfiler does not work for some <user>s) Further information: bugfiler is intended to be run from a mail alias, handle bug reports piped to it, and maintain a database of bug reports in the specified directory. There should be no need for mere mortals executing it, and it should be prevented that local users run it. On systems not using bugfiler at all, the suggestion for the admin is to simply remove the SUID bit from all bugfiler binaries. (The actual fix may differ from system to system.) Mail from "<bugs@...> (Bugs Bunny)" may mean that /lib/bugfiler was executed. ----------------------------------------------------------------------- (Maybe this is old news, but I could not find any information about it on the web.) ----------------------------------------------------------------------- Copyright (c) 1997 Johannes Schwabe, schwabe () rzaix530 rz uni-leipzig de -----------------------------------------------------------------------
Current thread:
- Re: stealth port scanning Fyodor (Sep 08)
- Re: stealth port scanning Duncan Simpson (Sep 08)
- Re: stealth port scanning Alan Cox (Sep 08)
- Security Bulletins Digest Aleph One (Sep 09)
- AIX bugfiler Aleph One (Sep 09)
- FTP compromise. Aleph One (Sep 09)
- OpenBSD Security Advisory: BSD I/O Signals Thomas H. Ptacek (Sep 14)
- Re: OpenBSD Security Advisory: BSD I/O Signals Alan Cox (Sep 15)
- Small bug in screen-3.7.1 gershwin (Sep 15)