AIX bugfiler hole

Summary
Description:running -b bugfiler <user> <directory> allows you to create wierd files in the directory (owned by <user>).
Author:Johannes Schwabe <schwabe@rzaix530.rz.uni-leipzig.de>
Compromise:In some cases root privileges can be gained (local)
Vulnerable Systems:AIX 3.*
Date:8 September 1997
Details


Date: Mon, 8 Sep 1997 15:55:43 +0200
From: Johannes Schwabe <schwabe@rzaix530.rz.uni-leipzig.de>
To: best-of-security@cyber.com.au
Subject: BoS: AIX bugfiler


------------------------------------------------------------------------
bugfiler vulnerability                                    September 1997
------------------------------------------------------------------------

Systems Affected: 
        Certain AIX machines. Others: unknown.
        (Vulnerability seen on AIX 3.* systems; no AIX 4.* machine
         inspected exhibited the flaw; all AIX 3.* machines inspected
         were vulnerable; very limited sample size though)

Description: 
        bugfiler (/lib/bugfiler) is SUID root.

Impact: 
        Local users can circumvent file access restrictions,
        leading to increased privileges. Depending on the 
        installation of the system, root privileges may be gained.

Exploit: 
        $whoami
        eviluser
        $/lib/bugfiler -b <user> <directory>

        creates funny files under the <user>-owned <directory>
        and that may be used by crackers to increase privileges.
        See the manpage of bugfiler for more information.
        (bugfiler does not work for some <user>s)

Further information:
        bugfiler is intended to be run from a mail alias, handle
        bug reports piped to it, and maintain a database of
        bug reports in the specified directory. There should be
        no need for mere mortals executing it, and it should
        be prevented that local users run it. On systems not using
        bugfiler at all, the suggestion for the admin is to simply remove
        the SUID bit from all bugfiler binaries. 
        (The actual fix may differ from system to system.) 

        Mail from "<bugs@...> (Bugs Bunny)" may mean that /lib/bugfiler
        was executed.

-----------------------------------------------------------------------

        (Maybe this is old news, but I could not find any information
        about it on the web.)

-----------------------------------------------------------------------
Copyright (c) 1997 Johannes Schwabe, schwabe@rzaix530.rz.uni-leipzig.de
-----------------------------------------------------------------------


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]