search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

IBM AIX vulnerable to buffer overflow in RCP

Vulnerability Note VU#209363

Original Release Date: 2002-09-16 | Last Revised: 2002-09-16

Overview

IBM AIX contains a buffer-overflow vulnerability that may allow remote attackers to gain root privileges.

Description

Some versions of IBM AIX used unbounded string operators. This problem was corrected in AIXV4 by changing the unbounded operators to their bounded equivalents.

Impact

Remote attackers may be able to gain root privileges.

Solution

Apply a patch from your vendor

See the Vendor Status section for more information.

Vendor Information

209363
 
Expand all

IBM Affected

Notified:  April 22, 2002 Updated: June 07, 2002

Status

Affected

Vendor Statement

"We discovered an apparent buffer overflow in "rcp" as used in AIX 4.3.x. We tracked the problem down to a corruption of malloc'ed memory in the file_comp() function within rcp.c; this occurred as a result from calling "glob". We determined that the problem of a core dump was happening in glob.c, in the pname() function. Some calls to "strcpy" and "strcat" did not allow for proper bounds checking, resulting in a buffer overflow.

"We think this would be a difficult exploit to pull off, but there have been examples in the past of malloc-related exploits, so we fixed the problems in glob.c by using "strncpy" and "strncat" to force bounds checking.

"We are not aware of any exploits that are in existence.

"The possible security vulnerability was fixed earlier this year.

"If customers are running AIX 4.3.x, they need to apply APAR #IY28698 to their systems. If they are running AIX 5.1, they need to apply APAR #IY26503. The APARs can be obtained by going first to this URL:

and following the relevant links from there."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://archives.neohapsis.com/archives/aix/2002-q1/0009.html

Acknowledgements

Thanks to IBM for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 14.96
Date Public: 2002-03-28
Date First Published: 2002-09-16
Date Last Updated: 2002-09-16 21:59 UTC
Document Revision: 4

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis