Brief description: Some versions of tftpd (8) dump core when given malicious input. The core file could contain information confidential to root .
Full description: Some versions of ftpd (8), tftpd , and utftpd (8) under AIX use the gets() system call to gather information from standard input (STDIN). The gets() system call has no means to denote size of the string it is handling and allows for an infinite amount of data to be passed into it. The code in ftpd , tftpd , and utftpd places the string that gets() reads into a fixed buffer. This buffer can be overflown resulting in the applications dumping core. Because these programs are run as root , the core images may contain critical root owned pieces of memory, such as user names and passwords.
Components: ftpd (trusted)
Systems: AIX 4.3 (trusted), AIX 4.2.1 (trusted), AIX 4.2 (trusted), AIX 4.1.5 (trusted), AIX 4.1.4 (trusted), AIX 4.1.3 (trusted), AIX 4.1.2 (trusted), AIX 4.1.1 (trusted), AIX 4.1 (trusted)
Effect(s) of exploiting: tftpd may dump core, exposing confidential information.
Detecting the hole:
Fixing the hole:
Other information:
buffer overflow
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
Attack:
Advisories: Security Focus database entry 401 ; the IBM APAR database entries for AIX 4.3 , AIX 4.2 , and AIX 4.1
Related Vulnerabilities:
Reporting: IBM in APAR Database (Dec. 16, 1997 )