COMMAND

    libi18n

SYSTEMS AFFECTED

    IBM AIX 4.3.x and 5.1

PROBLEM

    Following is based on a MSS-OAR-E01-2001:271.1 IBM Advisory.   AIX
    ships with  the library  "libi18n" located  in the  "/usr/ccs/lib"
    directory.  This  library contains a  function that is  vulnerable
    to a buffer overflow through the LANG environment variable.

    An ordinary  user has  the ability  to set  the "LANG" environment
    variable to any value they choose.  When this variable is set to a
    suitably formatted  string and  a program  is run  which uses  the
    vulnerable library,  the program  will terminate  abnormally.   If
    this  program  is  also  setuid  root,  aixterm  for  example,   a
    malicious user has an opportunity  to spawn a root shell  and gain
    control of the machine.

    A malicious local user can use a well-crafted exploit code to gain
    root privileges on the attacked system, compromising the integrity
    of the system and its attached local network.

    CRedit goes  to Troy  Bollinger of  IBM MSSD  for discovering this
    vulnerability and for demonstrating its exploitation.

SOLUTION

    If you do not wish to install the efix for this vulnerability  but
    instead wait for the APAR that fixes it to be made available,  you
    can  also  negate  this  vulnerability  by  making  the  "aixterm"
    program to be non-SUID.  You must be "root" to do this.   Ordinary
    users will still  be able to  use the program,  although there may
    be unexpected side effects.

    IBM is  working on  the following  fixes which  will be  available
    soon:

        AIX 4.3.x   -  IY20867
        AIX 5.1.0   -  IY21309

    Fix will not be  provided for versions prior  to 4.3 as these  are
    no  longer  supported  by  IBM.   Affected  customers are urged to
    upgrade to 4.3.3 at the latest maintenance level, or to 5.1.

    The temporary fixes can be downloaded via ftp from:

        ftp://aix.software.ibm.com/aix/efixes/security/libi18n_efix.tar.Z

    The efix tarball consists of a patched libi18n tarred binary which
    is compatible with both 4.3.x and 5.1.0 releases.  These temporary
    fixes have not  been fully regression  tested; thus, IBM  does not
    warrant  the  fully  correct  functioning  of the efix.  Customers
    install the efix and operate the modified version of AIX at  their
    own risk.