|
|
|
|
| |
| There are several exploitable buffer overflows in setuid and setgid binaries (libs) that allow local users to gain root access on AIX. A vulnerability in portmir can also be used to kill other processes as root. |
| |
Credit:
The information has been provided by Esa Etelavuori.
|
| |
Vulnerable systems:
AIX 4.{3,2}.x
Affected Programs:
setuid root V43 APARs V42 APARs
/usr/bin/setsenv * IY08812 IY10721
[ x=$s ]
/usr/lib/lpd/digest * IY08143 IY08287
[ $s x ]
/usr/sbin/portmir * IY07832
[ -t $s -d x ]
/usr/bin/enq IY08143 IY08287
[ -M $s ]
/usr/bin/setclock IY07831 IY07790
[ $s ]
/usr/lib/lpd/pio/etc/pioout IY12638
[ PIO{DEVNAME,PTRTYPE}=$s ]
setgid printq
/usr/lib/lpd/piobe * IY12638
[ PIOSTATUSFILE=x PIO{TITLE,VARDIR}=$s ]
/usr/lib/lpd/pio/etc/piomkapqd * IY12638
[ -p $s ]
/usr/bin/splp IY12638
[ $s ]
[*] Confirmed exploitable.
AIX has a world writeable system lock directory that allows playing with hard links to kill other processes like cron using portmir. The portmir overflow is trivial to exploit.
Gaining access to printq group gives write access to printer subsystem configuration files and directories that contain other binaries. Printer subsys programs seem to expect that they are executed by other printer programs with correctly set up environment. There are nicely looking variables such as PIO_IPCWRITEFD. Printq group has also access to run several other suid root binaries from which at least /usr/lib/lpd/digest is exploitable.
The overflow in digest is a bit more interesting. Our exploit uses two overflows. The first one overwrites a pointer located after an overflowed library (?) buffer that overflows another buffer on the stack afterwards. By that time digest has "dropped" its privileges, but the saved uid is still zero.
Enq was not examined at all. Buffer overflows in setclock and splp happen in main(), so at least argv and enviroment pointers can be overwritten, but seems like no interesting data can be accessed. Pioout dies due to never-ending strcpy() of the stored PIODEVNAME environment variable on the heap.
Solution:
Fixes have been available at:
http://techsupport.services.ibm.com/rs6k/fixes.html
|
|
|
|
|
