Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX getcommand/getshell Commands Disclose Contents of Shell Files to Local Users
SecurityTracker Alert ID:  1015429
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 1 2006
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): AIX 5.3
Description:   A vulnerability was reported in IBM AIX. A local user can view shell documents. A local user can determine if files exist on the target system.

The getCommand and getShell commands allow a local user to determine if a file exists or not because the commands return different information if a non-existent file is specified.

A local user can also view shell files on the target system.

A demonstration exploit command is provided:

./ ../../../../../tmp/

The vendor was notified on December 26, 2005.

XFOCUS discovered these vulnerabilities.

Impact:   A local user can view the contents of shell documents on the target system.

A local user can determine if files exist on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] [xfocus-SD-060101]AIX getCommand&getShell two

Title:[xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities

Affected version : aix5.3 ml03,Other versions not test,
                       should also be affected.
Where: Local

XFOCUS ( had already discovered
some vulnerabilities in getCommand&getShell.

After apply newest patch,getCommand&getShell still have two
vulnerabilities,That is
1: exploit that,a attacker can determine file be exist or not,which
should can't readed
2: exploit that,a attacker can read in any shell document(include no
permission file) has the cd operation the following partial content.

example test:
-bash-3.00$./ ../../../../../../etc/security/passwd
-bash-3.00$./ ../../../../../../etc/security/passwd.aa
fopen:  No such file or directory
-bash-3.00$ ls -ld /etc/security/
drwxr-x--- 4 root security 512  2005-12-22 21:09 /etc/security/
-bash-3.00$ ls -l /tmp/ -rwx------ 1 root system 79 2005-12-22 23:40
-bash-3.00$./ ../../../../../tmp/

ps -ef > /tmp/log. $$
grep test /tmp/log.
$$ rm /tmp/log. $$


December,26 2005 - Initial vendor notification
January 1, 2006 - Public disclosure(vendor not reply)



Kind Regards,

XFOCUS Security Team

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC