search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IBM AIX vulnerable to buffer overflow in RCP

Vulnerability Note VU#209363

Original Release Date: 2002-09-16 | Last Revised: 2002-09-16


IBM AIX contains a buffer-overflow vulnerability that may allow remote attackers to gain root privileges.


Some versions of IBM AIX used unbounded string operators. This problem was corrected in AIXV4 by changing the unbounded operators to their bounded equivalents.


Remote attackers may be able to gain root privileges.


Apply a patch from your vendor

See the Vendor Status section for more information.

Vendor Information


IBM Affected

Notified:  April 22, 2002 Updated: June 07, 2002



Vendor Statement

"We discovered an apparent buffer overflow in "rcp" as used in AIX 4.3.x. We tracked the problem down to a corruption of malloc'ed memory in the file_comp() function within rcp.c; this occurred as a result from calling "glob". We determined that the problem of a core dump was happening in glob.c, in the pname() function. Some calls to "strcpy" and "strcat" did not allow for proper bounds checking, resulting in a buffer overflow.

"We think this would be a difficult exploit to pull off, but there have been examples in the past of malloc-related exploits, so we fixed the problems in glob.c by using "strncpy" and "strncat" to force bounds checking.

"We are not aware of any exploits that are in existence.

"The possible security vulnerability was fixed earlier this year.

"If customers are running AIX 4.3.x, they need to apply APAR #IY28698 to their systems. If they are running AIX 5.1, they need to apply APAR #IY26503. The APARs can be obtained by going first to this URL:

and following the relevant links from there."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to IBM for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 14.96
Date Public: 2002-03-28
Date First Published: 2002-09-16
Date Last Updated: 2002-09-16 21:59 UTC
Document Revision: 4

Sponsored by CISA.