AIX named-xfer File Overwrite Vulnerability
A vulnerability in the 'named-xfer' executable allows members of the 'system' group to overwrite any file in the system.
The '/usr/sbin/named-xfer' file under AIX is setuid root and only executable by members of the 'system' group. By using the '-f' command line parameter to named-xfer members of the system group can overwrite any file on the system with a DNS zone file.
A cleverly written zone file used to overwrite say /.rhosts could be used to obtain root access to the system.
The defect ticket 287556 has been opened to fix this issue.