IBM AIX swcons Local Arbitrary File Access Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND The swcons program is a set-uid root application which is installed by default on IBM AIX. It allows for console logs to be temporarily logged to a file or device. II. DESCRIPTION Local exploitation of a file access vulnerability in the swcons command included in multiple versions of IBM Corp.'s AIX could allow for the creation or modification of arbitrary files anywhere on the system. The vulnerability specifically exists due to a lack of sanity checking when using the -p option. If a user specifies a file with the -p option, the contents of that file will be overwritten with 65,535 bytes of uncontrolled data. If the file doesn't exist, it will be created. In both cases, the file will also be converted to mode 222, which allows all users on the system to modify it. By specifying a system file, users can cause a denial of service condition or elevate privileges. III. ANALYSIS Exploitation allows attackers to execute arbitrary code with root privileges. The severity of this vulnerability is lessened by the fact that under a default configuration, the group id "system" is needed to execute swcons. IBM originally released an interim fix on February 22nd, 2007. The original fix did prevent attackers from being able to overwrite or change the ownership of existing files, but did not prevent the creation of new files via symlink attacks. IV. DETECTION iDefense has confirmed the existence of this vulnerability on IBM AIX version 5.2. It is suspected that previous versions are also vulnerable. V. WORKAROUND Only allow trusted users local access to security critical systems. Limit access to the "system" group. Alternately, remove the set-uid bit from the swcons program. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/21/2004 Initial vendor notification 01/07/2005 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Alex DeLarge. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@xxxxxxxxxxxx for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
