CVE-2004-1054

IBM AIX <5.3.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2004-1054. PoCs published by ri0t, cees-bart.

AI-analyzed exploit summary This exploit leverages a PATH environment variable manipulation vulnerability in invscout to execute arbitrary commands as root. It creates a malicious 'uname' script in /tmp that copies and sets the SUID bit on /usr/bin/ksh, then executes it via the vulnerable binary.

Description

Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout.

Exploits (2)

exploitdb WORKING POC VERIFIED
by ri0t · bashlocalaix
https://www.exploit-db.com/exploits/898

This exploit leverages a PATH environment variable manipulation vulnerability in invscout to execute arbitrary commands as root. It creates a malicious 'uname' script in /tmp that copies and sets the SUID bit on /usr/bin/ksh, then executes it via the vulnerable binary.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: invscout (version not specified)
No auth needed
Prerequisites: Access to a system with vulnerable invscout · Ability to write to /tmp · invscout must be executable by the attacker
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by cees-bart · bashlocalaix
https://www.exploit-db.com/exploits/701

This exploit leverages a directory traversal vulnerability in the `lsmcode` utility to execute arbitrary commands as root. It creates a malicious `Dctrl` script in `/tmp/aap/bin/` that copies `/bin/sh` to `/tmp/.shh` and sets the SUID bit, granting root privileges.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: lsmcode (likely part of AIX or related systems)
No auth needed
Prerequisites: Access to a vulnerable system with `lsmcode` installed · Write permissions in `/tmp`
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=171&type=vulnerabilities
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18619
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64852&apar=only
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64820&apar=only
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64976&apar=only

Scores

EPSS 0.0095
EPSS Percentile 56.6%

Details

Status published
Products (7)
ibm/aix 5.1
ibm/aix 5.1l
ibm/aix 5.2
ibm/aix 5.2.2
ibm/aix 5.2_l
ibm/aix 5.3
ibm/aix 5.3_l
Published Jan 10, 2005
Tracked Since Feb 18, 2026