rmsock and rmsock64 allows any user to append to any file on an AIX System.
Home

rmsock and rmsock64 allows any user to append to any file on an AIX System.

Posted 04/29/2009 - 13:03 by David Schnardthorst

Overview: 

The rmsock and rmsock64 are commands used to remove sockets without file descriptors.  These commands run as root, regardless of who runs it.  They have logging capabilities, and these logging capabilities can be redirected to any file.  So, anyone with an account can write to any file.   This has been labeled as a High Vulnerability.
 

Description: 

IBM has acknowledged a security issue in IBM AIX, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "rmsock" and "rmsock64" commands creating log files in an insecure manner. This can be exploited to e.g. append data to arbitrary files.

The security issue is reported in the AIX platforms 5.2, 5.3, and 6.1. Other versions may also be affected.
 

Solution: 

Apply fix :
http://aix.software.ibm.com/aix/efixes/security/rmsock_fix.tar
 

  • IBM AIX 5.2.0 - Apply APAR IZ40386
  • IBM AIX 5.3.0 - Apply APAR IZ42785 (available approx. 4/29/2009)
  • IBM AIX 5.3.7 - Apply APAR IZ42786 (available approx. 4/29/2009)
  • IBM AIX 5.3.8 - Apply APAR IZ42787 (available approx. 4/29/2009)
  • IBM AIX 5.3.9 - Apply APAR IZ42788 (available approx. 4/29/2009)
  • IBM AIX 6.1.0 - Apply APAR IZ41599 (available approx. 2/25/2009)
  • IBM AIX 6.1.1 - Apply APAR IZ41593 (available approx. 2/25/2009)
  • IBM AIX 6.1.2 - Apply APAR IZ41510 (available approx. 2/25/2009)

Workaround

The workaround we are implementing is to change the permissions of the rmsock and rmsock64 commands from Set UID, executable by all (4555) to be executable by root only. (500)

References: