search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

IBM AIX lsfs utility invokes grep and lslv with relative pathnames

Vulnerability Note VU#123651

Original Release Date: 2001-09-05 | Last Revised: 2001-09-05

Overview

The IBM AIX operating system contains a vulnerability in the lsfs utility that allows a local user to execute arbitrary code as root.

Description

The IBM AIX lsfs utility displays filesystem information such as mount points, permissions and volume sizes. To list this information, it executes lslv to list logical volumes and grep to parse the resulting output. Because lsfs uses relative pathnames when executing grep and lslv, a local attacker can use the PATH environment variable to redirect the calls made by lsfs to a local version of either grep or lslv. If setuid root permissions have been applied to lsfs, the local versions of grep and lslv will be executed with root privileges.

Impact

This vulnerability allows local users to execute arbitrary code as root.

Solution

Apply a patch from your vendor

IBM has released APAR IY16909 to address this issue. For further information, please consult the "Systems Affected" section of this document.

Clear setuid bit on lsfs


Previous to AIX 5.1 and some versions of AIX 4.3.3, default installations of AIX contained an lsfs binary with the setuid bit enabled. To reduce the impact of this vulnerability on those versions, use the chmod command to clear the setuid bit.

Vendor Information

123651
 
Expand all

IBM Affected

Notified:  August 21, 2001 Updated: September 04, 2001

Status

Affected

Vendor Statement

IBM fixed this vulnerability in AIX 4.3.3 and has made available APAR IY16909 that closes the security hole. Customers using AIX 4.3.3 are urged to apply this APAR, if they have not already done so. AIX 5.1 is not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Jeffrey P. Lanza and is based on information provided by IBM.

Other Information

CVE IDs: CVE-2001-0573
Severity Metric: 21.38
Date Public: 2001-04-03
Date First Published: 2001-09-05
Date Last Updated: 2001-09-05 14:21 UTC
Document Revision: 16

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis