CVE-2004-1329
IBM AIX 5.1-5.3 - Untrusted Execution Path via DIAGNOSTICS Environment Variable
Title source: manualExploitation Summary
EIP tracks 2 public exploits for CVE-2004-1329. PoCs published by cees-bart.
AI-analyzed exploit summary This exploit leverages a directory traversal vulnerability in the `lsmcode` utility to execute arbitrary commands as root. It creates a malicious `Dctrl` script in `/tmp/aap/bin/` that copies `/bin/sh` to `/tmp/.shh` and sets the SUID bit, granting root privileges.
Description
Untrusted execution path vulnerability in the diag commands (1) lsmcode, (2) diag_exec, (3) invscout, and (4) invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program.
Exploits (2)
This exploit leverages a directory traversal vulnerability in the `lsmcode` utility to execute arbitrary commands as root. It creates a malicious `Dctrl` script in `/tmp/aap/bin/` that copies `/bin/sh` to `/tmp/.shh` and sets the SUID bit, granting root privileges.
This exploit leverages a local privilege escalation vulnerability in certain diag applications by manipulating the 'DIAGNOSTICS' environment variable to execute arbitrary code with elevated privileges. It creates a malicious script that copies and sets the SUID bit on /bin/sh, allowing the attacker to gain root access.