Vulnerabilities > CVE-2007-4003 - Unspecified vulnerability in IBM AIX 5.3

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
ibm
nessus

Summary

pioout in IBM AIX 5.3 SP6 allows local users to execute arbitrary code by specifying a malicious library with the -R (ParseRoutine) command line argument.

Vulnerable Configurations

Part Description Count
OS
Ibm
1

Nessus

  • NASL familyAIX Local Security Checks
    NASL idAIX_U814071.NASL
    descriptionThe remote host is missing AIX PTF U814071, which is related to the security of the package printers.rte.
    last seen2020-06-01
    modified2020-06-02
    plugin id29167
    published2007-12-03
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29167
    titleAIX 5.2 TL 10 : printers.rte (U814071)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were extracted
    # from AIX Security PTF U814071. The text itself is copyright (C)
    # International Business Machines Corp.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(29167);
      script_version ("1.5");
      script_cvs_date("Date: 2019/09/16 14:12:49");
    
      script_cve_id("CVE-2007-4003");
    
      script_name(english:"AIX 5.2 TL 10 : printers.rte (U814071)");
      script_summary(english:"Check for PTF U814071");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote AIX host is missing a vendor-supplied security patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is missing AIX PTF U814071, which is related to the
    security of the package printers.rte."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www-01.ibm.com/support/docview.wss?uid=isg1IZ01121"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install the appropriate missing security-related fix."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:5.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"AIX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AIX/oslevel", "Host/AIX/version", "Host/AIX/lslpp");
    
      exit(0);
    }
    
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("aix.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if ( ! get_kb_item("Host/AIX/version") ) audit(AUDIT_OS_NOT, "AIX");
    if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    flag = 0;
    
    if ( aix_check_patch(ml:"520010", patch:"U814071", package:"printers.rte.5.2.0.106") < 0 ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAIX Local Security Checks
    NASL idAIX_U812659.NASL
    descriptionThe remote host is missing AIX PTF U812659, which is related to the security of the package printers.rte.
    last seen2020-06-01
    modified2020-06-02
    plugin id65334
    published2013-03-13
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/65334
    titleAIX 5.3 TL 6 : printers.rte (U812659)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were extracted
    # from AIX Security PTF U812659. The text itself is copyright (C)
    # International Business Machines Corp.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(65334);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/16 14:12:48");
    
      script_cve_id("CVE-2007-4003");
    
      script_name(english:"AIX 5.3 TL 6 : printers.rte (U812659)");
      script_summary(english:"Check for PTF U812659");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote AIX host is missing a vendor-supplied security patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is missing AIX PTF U812659, which is related to the
    security of the package printers.rte."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www-01.ibm.com/support/docview.wss?uid=isg1IZ01122"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install the appropriate missing security-related fix."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:5.3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.");
      script_family(english:"AIX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AIX/oslevel", "Host/AIX/version", "Host/AIX/lslpp");
    
      exit(0);
    }
    
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("aix.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if ( ! get_kb_item("Host/AIX/version") ) audit(AUDIT_OS_NOT, "AIX");
    if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    flag = 0;
    
    if ( aix_check_patch(ml:"530006", patch:"U812659", package:"printers.rte.5.3.0.61") < 0 ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 25084 CVE(CAN) ID: CVE-2007-4003 IBM AIX是一款商业性质的UNIX操作系统。 AIX操作系统所随捆绑的pioout程序处理命令行参数时存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。 pioout程序没有丢弃权限便加载了攻击者所提供的任意共享库,如果使用了-R命令行参数攻击者就可以指定用于解析打印机数据的共享库。pioout程序拥有root setuid,任何本地用户都可以执行,因此本地攻击者可以通过创建一个执行shell的共享库导致以root用户权限执行任意命令。 IBM AIX 5.3 IBM AIX 5.2 临时解决方法: * 删除该二进制程序的setuid位。 厂商补丁: IBM --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar.Z" target="_blank">ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar.Z</a>
idSSV:2044
last seen2017-11-19
modified2007-07-28
published2007-07-28
reporterRoot
titleIBM AIX Pioout任意库加载命令执行漏洞