AIX named-xfer File Overwrite Vulnerability

A vulnerability in the 'named-xfer' executable allows members of the 'system' group to overwrite any file in the system.

The '/usr/sbin/named-xfer' file under AIX is setuid root and only executable by members of the 'system' group. By using the '-f' command line parameter to named-xfer members of the system group can overwrite any file on the system with a DNS zone file.

A cleverly written zone file used to overwrite say /.rhosts could be used to obtain root access to the system.

The defect ticket 287556 has been opened to fix this issue.


Privacy Statement
Copyright 2010, SecurityFocus