======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 24 January 1997 13:00 GMT Number: ERS-SVA-E01-1997:001.1 =============================================================================== NOTE The information in this Security Vulnerability Alert was originally released on 03 December 1996 as ERS-SVA-E01-1996:007.1. Since that time, two significant events have occurred: 1. An exploit script for this vulnerability has been made public. 2. An error in the AIX 4.2 APAR for this problem has been discovered, and a new version of the APAR has been released. =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overrun condition in "gethostbyname()" library function PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x SOLUTION: Apply the fixes described below. Due to a packaging problem, an incorrect fix for the AIX 4.2.x release was distributed. We strongly recommend that the fix be downloaded and installed again. THREAT: An explot for the PowerPC AIX platform has been released which allows super-user access to the system. =============================================================================== DETAILED INFORMATION I. Description In TCP/IP networks such as the Internet and many corporate networks, hosts are identified by 32-bit numbers called addresses. However, because these numbers are difficult to remember, names are also given to hosts. Although people use the names to refer to the hosts, computer software must translate these names into the numeric addresses in order to use them. The Domain Name System (DNS), also called "the name server," is the primary database used to perform these name-to-address (and address-to-name) translations. Other databases, such as the Network Information System (NIS, formerly called Yellow Pages) and the "hosts file" are also used on some systems. When a program on a UNIX system wants to look up a host's name and obtain its network address, it uses a library function called "gethostbyname()." This function takes a host name as a parameter, contacts the Domain Name System (or another source of information), and returns the host's address(es) to the program. This saves the programmer the trouble of writing the complex code to interface with the name server. Under certain conditions, the "gethostbyname()" library function provided with IBM AIX versions 3.2.x, 4.1.x, and 4.2.x can encounter a buffer overrun that allows information on the program stack to be corrupted. II. Impact Many set-user-id and set-group-id programs, as well as many network programs running with super-user privileges, make use of the "gethostbyname()" library function. Corrupting the program stack of these programs may allow arbitrary user-provided code to be executed inadvertently. If successfully exploited, this buffer overrun condition could be used to gain super-user access to the system. Such an action could be initiated over the network from a remote system, or by a user on the local system. Penetration through a firewall may also be possible, depending on which services and applications are permitted by the firewall system. A script that exploits a similar buffer overrun condition in the Sun Solaris 2.x version of "gethostbyname()" was publicly released in November, 1996. Sun Microsystems announced fixes for that condition in Security Bulletin 137, which was released on 20 Nov 96. A script that exploits a similar buffer overrun condition in the IBM AIX version of "gethostbyname()" was publicly released in January, 1997. Fixes are described below. III. Solutions ***** ***** NOTE ***** ***** Due to a packaging error in the original APAR for AIX 4.2, you should ***** check that bos.rte.libc is at version 4.2.0.7 or later. If not, you ***** should retrieve APAR IX62144 again and re-apply it. ***** ***** This packaging error affected the AIX 4.2 APAR ONLY. The AIX 3.2 and ***** AIX 4.1 APARS were not affected. ***** The following Automated Program Analysis Reports (APARs) for IBM AIX are now available to address the concerns described above: AIX 3.2.x --------- APAR - IX60927 (PTF - U443452,U444191,U444206,U444213,U444233,U444244) To determine if you have this PTF on your system, run the following command: lslpp -lB U443452 U444191 U444206 U444213 U444233 U444244 AIX 4.1.x --------- APAR - IX61019 To determine if you have this APAR on your system, run the following command: instfix -ivk IX61019 The bos.rte.libc fileset should be 4.1.4.18 or later. AIX 4.2.x --------- APAR - IX62144 To determine if you have this APAR on your system, run the following command: instfix -ivk IX62144 The bos.rte.libc fileset should be 4.2.0.7 or later. IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://service.software.ibm.com/aixsupport/ or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. IV. Acknowledgements IBM-ERS would like to thank the CERT Coordination Center (CERT/CC), AUSCERT, Sun Microsystems, and Marko Laakso (University of Oulu) for providing some of the information in this advisory. AIX is a registered trademark of International Business Machines Corporation. =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 1996 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, Integrated Systems Solutions Corporation, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community.