|
|
|
|
| |
The invscout program is "a setuid root application, installed by default under newer versions of IBM AIX, that surveys the host system for currently installed microcode or Vital Product Data (VPD)".
Local exploitation of an untrusted path vulnerability in the invscout command included by default in multiple versions of IBM Corp.'s AIX could allow attackers to execute arbitrary code as the root user. |
| |
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
|
| |
Vulnerable Systems:
* IBM AIX version 5.2.0
During execution, invscout invokes an external application ("lsvpd") without dropping privileges. This application in turn invokes another external application ("uname"), while trusting the user-specified PATH environment variable. As root privileges are not dropped before this sequence of execution occurs, it is possible for an attacker to gain root access by specifying a controlled path and creating a malicious binary within that path. To exploit the vulnerability, an attacker needs only to create an executable file called "uname" that contains malicious code, set the PATH variable to the current directory and execute /usr/sbin/invscout.
Analysis:
Exploitation of this vulnerability allows local attackers to gain increased privileges. Successful explication requires a local account
and a writable directory. This directory can be the user's home directory, or even the /tmp directory. Exploitation does not require any knowledge of application internals, making privilege escalation trivial, even for unskilled attackers.
Workaround:
Only allow trusted users local access to security critical systems. Alternately, remove the setuid bit from invscout using chmod u-s
/usr/sbin/invscout.
Vendor response:
"IBM provides the following fixes:
* APAR number for AIX 5.1.0: IY64852 (available)
* APAR number for AIX 5.2.0: IY64976 (available)
* APAR number for AIX 5.3.0: IY64820 (available)
NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at the latest maintenance level."
CVE Information:
CAN-2004-1054
Disclosure timeline:
11/12/2004 - Initial vendor notification
11/18/2004 - Initial vendor response
12/20/2004 - Coordinated public disclosure
|
|
|
|
|
|
|
