IBM AIX "lsfs" trojaned grep/lslv
| aix-lsfs-path (7007) |  High Risk |
Description:
Lsfs could allow an attacker to execute arbitrary code by replacing the lslv or grep binaries with Trojan horse programs. The lsfs command uses the PATH environment variable to call the grep and lslv binaries. This allows an attacker to cause lsfs to execute the Trojan horse programs with elevated privileges.
Consequences:
Gain Access
Remedy:
For IBM AIX 4.3:
Apply APAR IY16909 patch, available from the IBM Technical Support Web site. See References.
References:
- IBM AIX APAR IY16909 APAR Notes: Re: New_AIXV4_Fixes. (From Neohapsis archive)
- IBM AIX Commands Reference, Volume 3: lslv Command.
- IBM AIX Commands Reference, Volume 3: lsfs Command.
- IBM Technical Support Web site: IY16909 - (AIXV43 only) security risk in lsfs.
- BID-6741: AIX lsfs Local Privilege Escalation Vulnerability
- CVE-2001-0573: lsfs in AIX 4.x allows a local user to gain additional privileges by creating Trojan horse programs named (1) grep or (2) lslv in a certain directory that is under the user's control, which cause lsfs to access the programs in that directory.
- OSVDB ID: 5582: AIX lsfs Environment Path Local Privilege Escalation
- US-CERT VU#123651: IBM AIX lsfs utility invokes grep and lslv with relative pathnames
Platforms Affected:
- IBM AIX 4.3
Reported:
Apr 03, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net