| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Dec 2005 17:12:52 -0000 From: "NGSSoftware Insight Security Research" <nisr@...tgenss.com> To: <bugtraq@...urityfocus.com>, <dbsec@...elists.org> Subject: Patches available for IBM AIX flaws David Litchfield of NGSSoftware has discovered a multiple high risk vulnerabilities in IBM's AIX operating systems. 1) There is a buffer overflow in the malloc debug system that when exploited can yeild root privileges. 2) There is a buffer overflow in muxatmd which is setuid root. 3) There is a buffer overflow in slocal which is setuid root. 4) There are arbitrary file data append issues in getShell and getCommand in conjuction with specific settings in the malloc debug system.Both getShell and getCommand are setuid root. Issue 1 affects AIX versions 5.3. Issue 2 affects AIX versions 5.3, 5.2 and 5.1. Issue 3 affects AIX versions 5.3, 5.2 and 5.1. Issue 4 affects AIX versions 5.3, 5.2 and 5.1. IBM has developed patches for these issues: http://www-03.ibm.com/servers/eserver/support/unixservers/aixfixes.html Administrators are urged to install the patches as soon as possible. Whilst these attacks are "local" by nature, AIX servers running Informix, DB2 and Oracle can be targeted remotely via specific SQL queries. NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ +44(0)208 401 0070
Powered by blists - more mailing lists