Internet Security Systems Security Advisory June 20, 2000 Insecure call of external program in AIX cdmount Synopsis: The AIX cdmount program allows regular users to mount CD-ROM filesystems. This program is basically a SUID to root wrapper of the mount command. Insecure handling of the arguments to cdmount may allow a local regular user to execute commands as root. Impact: Local users may gain root privileges. Affected Versions: AIX systems with the LPP UMS.objects 2.3.0.0 and below installed. Use the command 'lslpp -l UMS.objects' to verify if a vulnerable version is installed. Description: The cdmount program is part of the AIX UltiMedia Services (UMS) package. UMS provides multimedia applications to AIX workstations. The cdmount program is normally used as a helper to UMS multimedia players. It has SUID root permissions to allow regular users to mount a CD-ROM. The system()library subroutine is used within cdmount to invoke the mount program.. This subroutine spawns a shell to execute the mount command with arguments provided by the user. An attacker may execute arbitrary commands as root by calling cdmount with arguments containing shell metacharacters. Recommendations: ISS recommends removing the SUID bit from cdmount by executing the following command: # chmod 555 /usr/lpp/UMS/bin/cdmount IBM is currently working on the following APAR (Authorized Problem Analysis Report), which will be available soon: APAR 4.3.x: IY10903 Until the official fix is available, if UMS is not being used IBM recommends uninstalling UMS or removing the SUID bit from cdmount. APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, go to <http://service.software.ibm.com/support/rs6000> or send an email to [EMAIL PROTECTED] with a subject of "FixDist". Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0466 to this issue. This is a candidate for inclusion in the CVE list <http://cve.mitre.org>, which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Oliver Atoa-Ortiz of the ISS X-Force. ISS would like to thank IBM for their response and handling of this vulnerability. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
