TUCoPS :: Unix :: Various Flavours
:: cdmount.htm
Cdmount possible root compromise
Vulnerability
cdmount
Affected
AIX
Description
Following is based on Internet Security Systems Security Advisory.
The AIX cdmount program allows regular users to mount CD-ROM
filesystems. This program is basically a SUID to root wrapper of
the mount command. Insecure handling of the arguments to cdmount
may allow a local regular user to execute commands as root. Local
users may gain root privileges.
Affected systems are AIX systems with the LPP UMS.objects 2.3.0.0
and below installed. Use the command 'lslpp -l UMS.objects' to
verify if a vulnerable version is installed.
The cdmount program is part of the AIX UltiMedia Services (UMS)
package. UMS provides multimedia applications to AIX workstations.
The cdmount program is normally used as a helper to UMS multimedia
players. It has SUID root permissions to allow regular users to
mount a CD-ROM. The system()library subroutine is used within
cdmount to invoke the mount program.. This subroutine spawns
a shell to execute the mount command with arguments provided by
the user. An attacker may execute arbitrary commands as root by
calling cdmount with arguments containing shell metacharacters.
Solution
ISS recommends removing the SUID bit from cdmount by executing the
following command:
# chmod 555 /usr/lpp/UMS/bin/cdmount
IBM is currently working on the following APAR (Authorized
Problem Analysis Report), which will be available soon:
APAR 4.3.x: IY10903
Until the official fix is available, if UMS is not being used IBM
recommends uninstalling UMS or removing the SUID bit from cdmount.
APARs may be ordered using Electronic Fix Distribution (via
FixDist) or from the IBM Support Center.