Vigil@nce - AIX: privilege elevation via LDAP
May 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the Extended LDAP User Filtering feature is used, a local
attacker can access to the account of another user.
Severity: 2/4
Creation date: 04/05/2012
IMPACTED PRODUCTS
– IBM AIX
DESCRIPTION OF THE VULNERABILITY
The /etc/security/ldap/ldap.cfg file indicates the Base
Distinguished Names of users who are allowed to access to the
system. For example:
userbasedn: ou=people, cn=aixdata
The administrator can filter the list of allowed users (Extended
LDAP User Filtering). For example:
userbasedn: ou=people, cn=aixdata??(attribute=value)
However, when the filtering is enabled, the getpwnam() function,
which returns the passwd structure associated to a user, can
return data of another user. Applications calling getpwnam() can
then allow access to an account which is different from the
requested one.
When the Extended LDAP User Filtering feature is used, a local
attacker can therefore access to the account of another user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/AIX-privilege-elevation-via-LDAP-11579