CVE-1999-1208

Vulnerability

A buffer overflow exists in /usr/sbin/ping on AIX version 4.2 and earlier, including AIX 3.2 and 4.1. The vulnerability is triggered by supplying an overly long command-line argument to the ping program [1]. The binary is installed setuid root, which allows the overflow to be exploited for privilege escalation [1].

Exploitation

An attacker must have local access to the system and the ability to compile and execute a C program. The exploit involves crafting a specially formatted argument string that overwrites the return address on the stack. The provided exploit code uses a NOP sled and shellcode to spawn a root shell when executed with a specific argument length, typically in the range of 5090 to 5500 bytes [1].

Impact

Successful exploitation grants the attacker a root shell. This results in a complete compromise of system confidentiality, integrity, and availability, as the attacker can execute arbitrary commands with superuser privileges [1].

Mitigation

IBM released APARs to fix the vulnerability: IX62144 for AIX 4.2, IX61019 for AIX 4.1, and IX60927 for AIX 3.2 [2]. These fixes are available from FixDist at http://service.software.ibm.com/aixsupport/ [2]. Applying the appropriate APAR for the AIX version mitigates the vulnerability. No workarounds are documented in the references; the only mitigation is to install the vendor-supplied fix.