Exploit world!

AIX Section

Compiled by Fyodor fyodor@insecure.org

on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse

AIX rmail hole
Description:	IFS attack, apparently AIX may be using system()
Author:	Unknown
Compromise:	gid mail
Vulnerable Systems:	AIX 3.2, perhaps earlier
Date:	10 May 1998 (it is actually much older)
Notes:	Thanks to the person who submitted this to me!
Exploit &amp full info:	Available here

Xaw and Xterm vulnerabilities
Description:	There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows
Author:	Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin
Compromise:	root (local)
Vulnerable Systems:	Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable.
Date:	4 May 1998
Notes:	I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out!
Exploit &amp full info:	Available here

MGE UPS serious security holes
Description:	Standard security holes are plentiful in the MGE UPS software
Author:	Ryan Murray <rmurray@PC-42839.BC.ROGERS.WAVE.CA>
Compromise:	root (local)
Vulnerable Systems:	Those running vulnerable versions of MGE UPS software. It apparently runs on Solaris, AIX, SCO, etc.
Date:	12 April 1998
Exploit &amp full info:	Available here

AIX mount vunlerability
Description:	AIX mount has a serious problem that allows people to mount any filesystem on top of any writeable space.
Author:	"S. Ryan Quick" <ryan@PHAEDO.COM>
Compromise:	Mount filesystems on top of any writeable space (this could allow you to clobber files, among other things).
Vulnerable Systems:	AIX 4.1.3, 4.1.4, 4.2.0, 4.2.1
Date:	28 December 1997
Exploit &amp full info:	Available here

Solaris Statd exploit
Description:	Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem.
Author:	Anonymous
Compromise:	root (remote)
Vulnerable Systems:	Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC
Date:	24 November 1997
Exploit &amp full info:	Available here

ftp mget vulnerability
Description:	If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "\|sh" to execute arbitrary commands.
Author:	I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:	ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:	ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:	3 November 1997 was when this example was posted (the bug was found a while back)
Exploit &amp full info:	Available here

AIX xdat overflow
Description:	Typical buffer overflow, this time with $TZ in AIX's xdat program
Author:	Unknown
Compromise:	root (local)
Vulnerable Systems:	AIX 4.1, 4.2
Date:	22 October 1997
Exploit &amp full info:	Available here

AIX bugfiler hole
Description:	running -b bugfiler <user> <directory> allows you to create wierd files in the directory (owned by <user>).
Author:	Johannes Schwabe <schwabe@rzaix530.rz.uni-leipzig.de>
Compromise:	In some cases root privileges can be gained (local)
Vulnerable Systems:	AIX 3.*
Date:	8 September 1997
Exploit &amp full info:	Available here

Hole in the vacation program
Description:	The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:	bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:	Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:	At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:	1 September 1997
Exploit &amp full info:	Available here

Hole in the vacation program
Description:	The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:	bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:	Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:	At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:	1 September 1997
Exploit &amp full info:	Available here

syslogd spoofing
Description:	remote syslogd uses udp and is easily spoofable, as Yuri demonstrates in this excellent paper. Also, there isn't an easy way to turn off remote listening from AIX boxes.
Author:	Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:	spoof syslogd, add fake log messages, overflow it, etc.
Vulnerable Systems:	Those that have syslogd listening for remote messages, AIX is especially vulnerable.
Date:	27 August 1997
Exploit &amp full info:	Available here

Check for existance of files on systems runninng mountd
Description:	Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not.
Author:	Peter <deviant@UNIXNET.ORG>
Compromise:	query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system.
Vulnerable Systems:	Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:	24 August 1997
Exploit &amp full info:	Available here

Vulnerability with -C in IBM's version of sendmail
Description:	Supposedly, /usr/lib/sendmail -C <anyfile> while display the file specified regardless of permissions. This is also true on versions of sendmail prior to 8.8.7 if they are installed setgid. They shouldn't be setgid, but an errant makefile sets them that way.
Author:	"DI. Dr. Klaus Kusche" <Klaus.Kusche@OOE.GV.AT>
Compromise:	Read files beyond your permissiosn.
Vulnerable Systems:	the IBM sendmail on AIX 4.1.5 and sendmail prior to 8.8.7 which is installed setgid.
Date:	6 August 1997
Notes:	A post from Troy Bollinger at IBM clarified that you have to be in the "system" group (gid 0) in order to use the -C trick. This limits the exploit potential A LOT! Also, A post by Eric Allman is appended to Dr. Kusche's post.
Exploit &amp full info:	Available here

AIX /usr/sbin/lchangelv overflow
Description:	Standard buffer overflow
Author:	"Bryan P. Self" <bryan@SCOTT.NET> ( BeastMaster V)
Compromise:	gid or egid system -> root
Vulnerable Systems:	AIX 4.x (at least 4.2). PowerPC platform.
Date:	21 July 1997
Exploit &amp full info:	Available here

AIX /usr/bin/X11/xlock exploit
Description:	standard overflow
Author:	Well known vulnerability, but "Bryan P. Self" <bryan@SCOTT.NET> posted the exploit for it.
Compromise:	root (local)
Vulnerable Systems:	AIX 4.x PowerPC architecture
Date:	21 July 1997
Exploit &amp full info:	Available here

AIX ping overflow
Description:	standard overflow, AIX 4.2/PPC ping
Author:	"Bryan P. Self" <bryan@SCOTT.NET>
Compromise:	root (local)
Vulnerable Systems:	Systems?: AIX 4.2, exploit for PPC platform
Date:	21 July 1997
Exploit &amp full info:	Available here

AIX 4.2 HOME environmental variable overflow
Description:	Typical environmental variable overflow.
Author:	Georgi Guninski <guninski@hotmail.com>
Compromise:	root (local)
Vulnerable Systems:	AIX 4.2, probably other versions
Date:	10 June 1997
Exploit &amp full info:	Available here

AIX lquerylv overflow
Description:	standard overflow
Author:	Georgi Guninski <guninski@hotmail.com>
Compromise:	root (local)
Vulnerable Systems:	AIX 4.2 tested on a RS/6000 box. All 4.x, 3.x probably affected.
Date:	26 May 1997
Exploit &amp full info:	Available here

AIX 4.2 /usr/dt/bin/dtterm buffer overflow
Description:	Standard buffer overflow. Possibly in the X library.
Author:	Georgi Guninski <guninski@hotmail.com> (and who says all hotmail users are idiots?)
Compromise:	root (local)
Vulnerable Systems:	AIX 4.2, possibly others. Exploit for a RS/6000 box.
Date:	20 May 1997
Exploit &amp full info:	Available here

AIX LC_MESSAGES /usr/sbin/mount and /bin/host holes
Description:	Standard buffer overflow, using LC_MESSAGES
Author:	Georgi Guninski (guninski@linux2.vmei.acad.bg)
Compromise:	root (local)
Vulnerable Systems:	AIX 4.2, possibly 4.1 and more
Date:	3 April 1997
Exploit &amp full info:	Available here

IRIX suid_exec hole
Description:	suid_exec, a program apparently distributed with ksh, has a number of security holes, including trusting the user's $SHELL variable.
Author:	Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise:	root (local)
Vulnerable Systems:	Irix 5.3 and 6.2, possibly AIX and others.
Date:	2 December 1996
Exploit &amp full info:	Available here

AIX powerPC gethostbyname() and /bin/host exploits
Description:	standard buffer overflow in gethostbyname
Author:	Georgi Guninski (guninski@technologica.bg)
Compromise:	root (local)
Vulnerable Systems:	AIX systems on PowerPC with vulnerable gethostbyname(). AIX 4.1, possibly 3.x, 4.x.
Date:	13 January 1996
Exploit &amp full info:	Available here

This page Copyright &#169 Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index