sysback, shipped with AIX systems, allows local users to gain root access because of a failure to use a fully qualified path for a call to hostname.
sysback includes a call to hostname but does not include a full path specification. Because sysback is set uid root, intruders can put a malicious hostname in the path before the "real" hostname, and thereby execute any commands with root privileges.
Local users can execute arbitrary commands and programs with root privileges.
Update to sysback.rte 22.214.171.124 as described in the IBM vendor statement.
Remove setuid root from sysback in environments that permit it (where such a change would not be detrimental to operations).
Our thanks to Kiki Lee for reporting this vulnerability.
This document was written by Shawn V Hernan.
|Date First Published:||2000-12-12|
|Date Last Updated:||2000-12-12 23:11 UTC|