关键信息 [SUMMARY] Announced: November 09, 1998 Report code: RSI.0011.11-12-98.AIX.INFOD Report title: AIX infod Vulnerability: - The Info Explorer daemon on AIX does not validate input, allowing local attackers to exploit and gain root privileges. Vendor status: AIX was contacted on November 12, 1998. Patch status: IBM is working on several fixes. Platforms: AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x Reference: http://www.repsec.com/advisories.html Impact: attacking the vulnerability can compromise root access locally on your server [DETAILS] Description: The Info Explorer daemon is a AIX utility which provides documentation for the operating system and associated programs. Problem: The info daemon does not perform any validation on the information passed to the local socket that it is bound to. Users on the system can send false information to the daemon and trick it into spawning a connection to the intruder's X display. Details: By sending a UID and GID of 0, along with a false environment, infod will be forced into spawning a connection with root privileges to the intruder's X display. Once the program appears on the screen, attackers can change the printer command line to an alternate binary such as that gives privileges to the account the session was spawning under. [FIX] Solution: IBM is currently working on the following fixes which will be available soon: - AIX 3.2.x: upgrade to version 4 - AIX 4.1.x: IX84640 - AIX 4.2.x: IX84641 - AIX 4.3.x: IX84642 Until the fixes can be applied, the infod daemon should be disabled. Run the following commands as root: ``` stopsrc -s infod rmittab infod chown root.system /usr/lpp/info/bin/infod chmod 0 /usr/lpp/info/bin/infod