COMMAND
frcactrl
SYSTEMS AFFECTED
AIX 4.3 APAR IY02669
PROBLEM
Following is based on ISS Security Advisory. ISS X-Force has
discovered a vulnerability in the AIX frcactrl program. The Fast
Response Cache Accelerator (FRCA) is a kernel module that can be
used with the IBM HTTP server to improve the performance of a web
server. If the FRCA module is loaded, a local attacker could use
frcactrl, a program used to manage FRCA configuration, to modify
files. An attacker could gain root privileges by using the
frcactrl program if the FRCA kernel module is loaded.
The AIX Fast Response Cache Accelerator (FRCA) is a kernel
extension module that improves the performance of a web server by
using a memory cache to store data being served from the web
server. FRCA is used primarily with the Apache-based IBM HTTP
server, but it may also be used with other web servers. The
frcactrl program is used to manage the FRCA configuration and is
distributed as part of the base operating system in AIX 4.3. The
vulnerability is present on systems with AIX fix IY02669 applied
and with the FRCA kernel extension loaded (the kernel extension
is not enabled by default). The setuid bit of the frcactrl file
is turned on by APAR (Authorized Problem Analysis Report) IY02669,
which allows non-root users to configure the module. A malicious
user may use frcactrl to manipulate the configuration of the FRCA
log files to create, append, or overwrite files as root.
This vulnerability was discovered and researched by Oliver
Atoa-Ortiz of the ISS X-Force.
SOLUTION
ISS recommends that if FRCA is not needed, the module can be
unloaded with the following command:
# /usr/sbin/frcactrl unload ; /usr/sbin/slibclean
Until an official fix is available, IBM recommends removing the
setuid bit from the frcactrl command:
# chmod 555 /usr/sbin/frcactrl
IBM is currently working on the following APARs, which will be
available soon:
APAR 4.3.x: IY09514