__________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                    IBM AIX(r)  Buffer Overrun Vulnerability
                  (revision for gethostbyname in Bulletin H-13)

January 24, 1997 23:00 GMT                                         Number H-24
______________________________________________________________________________
PROBLEM:       Buffer overrun condition in "gethostbyname()" library function.
PLATFORM:      IBM AIS(r) 3.2.x, 4.1.x, 4.2.x
DAMAGE:        If exploited, this vulnerability could be used to gain root
               access to the system.
SOLUTION:      Apply the patches described below.
______________________________________________________________________________
VULNERABILITY  Exploit details involving this vulnerability have been made
ASSESSMENT:    publicly available.
______________________________________________________________________________

[ Start IBM-ERS Bulletin ]
===============================================================================
                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
                          SECURITY VULNERABILITY ALERT

24 January 1997 13:00 GMT                        Number: ERS-SVA-E01-1997:001.1
===============================================================================
                                      NOTE

The information in this Security Vulnerability Alert was originally released on
03 December 1996 as ERS-SVA-E01-1996:007.1.  Since that time, two significant
events have occurred:

        1. An exploit script for this vulnerability has been made public.

        2. An error in the AIX 4.2 APAR for this problem has been discovered,
           and a new version of the APAR has been released.

===============================================================================
                             VULNERABILITY  SUMMARY

VULNERABILITY:  Buffer overrun condition in "gethostbyname()" library function

PLATFORMS:      IBM AIX(r) 3.2.x, 4.1.x, 4.2.x

SOLUTION:       Apply the fixes described below.  Due to a packaging problem,
                an incorrect fix for the AIX 4.2.x release was distributed.
                We strongly recommend that the fix be downloaded and installed
                again.

THREAT:         An explot for the PowerPC AIX platform has been released which
                allows super-user access to the system.

===============================================================================
                              DETAILED INFORMATION

I. Description

In TCP/IP networks such as the Internet and many corporate networks, hosts are
identified by 32-bit numbers called addresses.  However, because these numbers
are difficult to remember, names are also given to hosts.  Although people use
the names to refer to the hosts, computer software must translate these names
into the numeric addresses in order to use them.

The Domain Name System (DNS), also called "the name server," is the primary
database used to perform these name-to-address (and address-to-name)
translations.  Other databases, such as the Network Information System (NIS,
formerly called Yellow Pages) and the "hosts file" are also used on some
systems.

When a program on a UNIX system wants to look up a host's name and obtain its
network address, it uses a library function called "gethostbyname()."  This
function takes a host name as a parameter, contacts the Domain Name System (or
another source of information), and returns the host's address(es) to the
program.  This saves the programmer the trouble of writing the complex code to
interface with the name server.

Under certain conditions, the "gethostbyname()" library function provided with
IBM AIX versions 3.2.x, 4.1.x, and 4.2.x can encounter a buffer overrun that
allows information on the program stack to be corrupted.

II. Impact

Many set-user-id and set-group-id programs, as well as many network programs
running with super-user privileges, make use of the "gethostbyname()" library
function.  Corrupting the program stack of these programs may allow arbitrary
user-provided code to be executed inadvertently.

If successfully exploited, this buffer overrun condition could be used to gain
super-user access to the system.  Such an action could be initiated over the
network from a remote system, or by a user on the local system.  Penetration
through a firewall may also be possible, depending on which services and
applications are permitted by the firewall system.

A script that exploits a similar buffer overrun condition in the Sun Solaris
2.x version of "gethostbyname()" was publicly released in November, 1996.  Sun
Microsystems announced fixes for that condition in Security Bulletin 137, which
was released on 20 Nov 96.

A script that exploits a similar buffer overrun condition in the IBM AIX
version of "gethostbyname()" was publicly released in January, 1997.  Fixes
are described below.

III. Solutions

*****
***** NOTE
*****
***** Due to a packaging error in the original APAR for AIX 4.2, you should
***** check that bos.rte.libc is at version 4.2.0.7 or later.  If not, you
***** should retrieve APAR IX62144 again and re-apply it.
*****
***** This packaging error affected the AIX 4.2 APAR ONLY.  The AIX 3.2 and
***** AIX 4.1 APARS were not affected.
*****

The following Automated Program Analysis Reports (APARs) for IBM AIX are now
available to address the concerns described above:

  AIX 3.2.x
  ---------
    APAR - IX60927 (PTF - U443452,U444191,U444206,U444213,U444233,U444244)

    To determine if you have this PTF on your system, run the following
    command:

        lslpp -lB U443452 U444191 U444206 U444213 U444233 U444244

  AIX 4.1.x
  ---------
    APAR - IX61019

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ivk IX61019

    The bos.rte.libc fileset should be 4.1.4.18 or later.

  AIX 4.2.x
  ---------
    APAR - IX62144

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ivk IX62144

    The bos.rte.libc fileset should be 4.2.0.7 or later.

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information on
FixDist, and to obtain fixes via the Internet, please reference

        http://service.software.ibm.com/aixsupport/

or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in
the "Subject:" line.
===============================================================================