COMMAND
Gradient iFOR/LS
SYSTEMS AFFECTED
AIX 3.2.5, 4.1.x, 4.2.x, 4.3
PROBLEM
Joerg Schumacher found following. AIX 4.1 includes the iFOR/LS
(formerly known as NetLS) license server from Gradient
Technologies. Some parts of this system (NCS, server and client
libs) use a cache file (/tmp/last_uuid, mode 0666), which will be
created on the fly if missing. The code has the classical file
open bug: it will happily follow any symlink. IIRC and HP-UX had
(and may still have) this bug too. There are some other commands
that create similar situations with tmp files. They will be
discussed in following part of text based on IBM advisory. The
vulnerable commands are not installed as set-user-id programs,
thus, unpriviledged users cannot create files in system
directories. However, the root user may be tricked into executing
the programs while the symbolic link is in place.
Other programs/files that make similar problems are:
- /var/adm/ras/dumpsymplog
- /tmp/x, /var/adm/ras/$
- /tmp/rc.net.out
- /tmp/xlogfile
- /tmp/.oslevel.mlcache.info
- /tmp/sysdumpdev-L
SOLUTION
A simple workaround for this is to remove and recreate
/tmp/last_uuid in /sbin/rc.boot. This will limit the attack to
filling the /tmp partition. Script for that is:
#!/usr/bin/ksh
cd /sbin
cp -p rc.boot rc.boot.before.security.patch
/bin/rm -f /tmp/last_uuid
>/tmp/last_uuid
chown root.system /tmp/last_uuid
chmod 666 /tmp/last_uuid
/usr/bin/ex <<EOF /sbin/rc.boot >/dev/null 2>&1
/rm -f \/etc\/lock/a
/bin/rm -f /tmp/last_uuid
>/tmp/last_uuid
chown root.system /tmp/last_uuid
chmod 666 /tmp/last_uuid
.
x!
EOF
/var/adm/ras/dumpsymplog
========================
If the file exists, change the permissions to 644. Add "umask
022" to /usr/lib/ras/logsymptom. APAR:
Fixed in 4.2.1 maintenance level (IX58183)
Fixed in 4.3.0 release
/tmp/x, /var/adm/ras/$
======================
/tmp/x and /var/adm/ras/$ are not needed. Remove both files and
change /usr/lib/ras/notifymeth so that they are not re-created.
APAR:
Fixed in 4.2.1 maintenance level (IX58183)
Fixed in 4.3.0 release.
/tmp/rc.net.out
===============
If the file exists, change the permissions to 644. Add "umask
022" to /etc/rc.net and /etc/rc.bsdnet. APAR:
Fixed in 4.3.0 release.
/tmp/xlogfile
=============
Remove /tmp/xlogfile before and after starting the X server. This
can be done by changing /usr/lpp/X11/defaults/xserverrc. APAR:
Fixed in 4.1.5 APAR IX58516 (fileset X11.base.rte.4.1.5.0)
Fixed in 4.2.1 maintenance level (IX58183)
Fixed in 4.3.0 release
/tmp/.oslevel.mlcache.info
==========================
Ensure that /tmp/.oslevel.mlinfo.cache is a regular file and owned
by root. This can be done by modifying /sbin/rc.boot to re-create
this file during system boot. APAR:
Fixed in 4.1.5 APAR IX56229 (fileset bos.rte.install.4.1.5.0)
Fixed in 4.2.1 maintenance level (IX58183)
Fixed in 4.3.0 release
/tmp/sysdumpdev-L
=================
There is no APAR. Remove /tmp/sysdumpdev-L if it exists. Update
/usr/lib/ras/logsymptom. Script:
#!/usr/bin/ksh
/bin/rm -f /tmp/sysdumpdev-L
cd /usr/lib/ras
cp -p logsymptom logsymptom.before.security.patch
/usr/bin/ex <<EOF /usr/lib/ras/logsymptom >/dev/null 2>&1
/^tmpf=
a
/bin/rm -f \$tmpf
umask 022
.
x!
EOF