CVE-2007-3333

IBM AIX 5.2.0 and 5.3 SP6 - Remote Code Execution via Terminal Control Sequence Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-3333. PoCs published by qaaz.

AI-analyzed exploit summary This exploit targets a local privilege escalation vulnerability in IBM AIX's `capture` utility (CVE-2007-3333) by leveraging environment variable manipulation and shellcode execution to gain root access. It uses a combination of shellcode injection and pseudo-terminal manipulation to spawn a root shell.

Description

Stack-based buffer overflow in capture in IBM AIX 5.3 SP6 and 5.2.0 allows remote attackers to execute arbitrary code via a large number of terminal control sequences.

Exploits (2)

exploitdb WORKING POC VERIFIED
by qaaz · clocalaix
https://www.exploit-db.com/exploits/4231

This exploit targets a local privilege escalation vulnerability in IBM AIX's `capture` utility (CVE-2007-3333) by leveraging environment variable manipulation and shellcode execution to gain root access. It uses a combination of shellcode injection and pseudo-terminal manipulation to spawn a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: IBM AIX <= 5.3 sp6
No auth needed
Prerequisites: Local access to an AIX system with vulnerable `capture` utility · Ability to execute binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by qaaz · clocalaix
https://www.exploit-db.com/exploits/30399

This exploit leverages a stack-based buffer overflow in IBM AIX's setuid-superuser program `/usr/bin/capture` to execute arbitrary code with superuser privileges. It uses a combination of environment variable manipulation and shellcode injection to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: IBM AIX (version not specified, likely older versions)
No auth needed
Prerequisites: Local access to the vulnerable system · Presence of the vulnerable `/usr/bin/capture` binary
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26219
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01134
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2676
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01135
Third Party Advisory third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=570
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018464
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35626
Various Sources x_refsource_confirm
ftp://aix.software.ibm.com/aix/efixes/security/README
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25075

Scores

EPSS 0.0350
EPSS Percentile 87.6%

Details

CWE
CWE-119
Status published
Products (2)
ibm/aix 5.2.0
ibm/aix 5.3 sp6
Published Jul 26, 2007
Tracked Since Feb 18, 2026