Vulnerability Note VU#18419

IBM AIX nslookup fails to drop root privileges

Overview

The nslookup command fails to drop privileges, allowing local attackers to gain root privileges.

I. Description

The nslookup program fails to drop the privileges it gains from being setuid. This access appears to be needed to read the "/etc/resolv.conf" file. This problem was described in IBM ERS advisory ERS-SVA-E01-1997:008.1.

II. Impact

Intruders with access to a local user account may be able to gain root privileges.

III. Solution

Apply a Patch

For AIX version 4.1, system administrators should apply APAR #IX71464. For AIX version 4.2, system administrators should apply APAR #IX70815.

Disable the setuid bit on nslookup

You can prevent this vulnerability from being exploited by removing the setuid bit from the nslookup program. You can do this by executing the following command as root:

chmod 555 /usr/bin/nslookup

Systems Affected

Vendor	Status	Date Notified	Date Updated
IBM	Vulnerable	26-Sep-2001

References

http://xforce.iss.net/static/604.php
http://groups.google.com/groups?q=ERS-SVA-E01-1997:008.1&hl=en&rnum=3&selm=6383r7%24kts%243%40watnews1.watson.ibm.com

Credit

This document was written by Cory F. Cohen.

Other Information

Date Public:	97-10-29
Date First Published:	2001-09-26
Date Last Updated:	2001-09-27
CERT Advisory:
CVE-ID(s):	CVE-1999-0093
NVD-ID(s):	CVE-1999-0093
US-CERT Technical Alerts:
Severity Metric:	2.76
Document Revision:	10

If you have feedback, comments, or additional information about this vulnerability, please send us email.