SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#123651

IBM AIX lsfs utility invokes grep and lslv with relative pathnames

Overview

The IBM AIX operating system contains a vulnerability in the lsfs utility that allows a local user to execute arbitrary code as root.

I. Description

The IBM AIX lsfs utility displays filesystem information such as mount points, permissions and volume sizes. To list this information, it executes lslv to list logical volumes and grep to parse the resulting output. Because lsfs uses relative pathnames when executing grep and lslv, a local attacker can use the PATH environment variable to redirect the calls made by lsfs to a local version of either grep or lslv. If setuid root permissions have been applied to lsfs, the local versions of grep and lslv will be executed with root privileges.

II. Impact

This vulnerability allows local users to execute arbitrary code as root.

III. Solution

Apply a patch from your vendor

IBM has released APAR IY16909 to address this issue. For further information, please consult the "Systems Affected" section of this document.

Clear setuid bit on lsfs

Previous to AIX 5.1 and some versions of AIX 4.3.3, default installations of AIX contained an lsfs binary with the setuid bit enabled. To reduce the impact of this vulnerability on those versions, use the chmod command to clear the setuid bit.

Systems Affected

VendorStatusDate NotifiedDate Updated
IBMVulnerable4-Sep-2001

References


http://archives.neohapsis.com/archives/aix/2001-q2/0000.html
http://as400bks.rochester.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds3/lsfs.htm
http://as400bks.rochester.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds3/lslv.htm

Credit

This document was written by Jeffrey P. Lanza and is based on information provided by IBM.

Other Information

Date Public:2001-04-03
Date First Published:2001-09-05
Date Last Updated:2001-09-05
CERT Advisory: 
CVE-ID(s):CAN-2001-0573
NVD-ID(s):CAN-2001-0573
US-CERT Technical Alerts: 
Metric:21.37
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader