CVE-2009-2669

IBM AIX <6.1 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2669. PoCs published by Marco Ivaldi.

AI-analyzed exploit summary This exploit leverages improper handling of the _LIB_INIT_DBG and _LIB_INIT_DBG_FILE environment variables in IBM AIX to create an arbitrary root-owned file with world-writable permissions via a setuid-root program linked to libC.a or libc.a. It demonstrates a local privilege escalation by overwriting sensitive files.

Description

A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which allows local users to gain privileges by leveraging a setuid-root program to create an arbitrary root-owned file with world-writable permissions, related to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Marco Ivaldi · bashlocalaix

https://www.exploit-db.com/exploits/9645

View Code ZIP pw:eip

This exploit leverages improper handling of the _LIB_INIT_DBG and _LIB_INIT_DBG_FILE environment variables in IBM AIX to create an arbitrary root-owned file with world-writable permissions via a setuid-root program linked to libC.a or libc.a. It demonstrates a local privilege escalation by overwriting sensitive files.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: IBM AIX 5.3 (xlC.rte < 10.1.0.2) and AIX 6.1 (bos.rte.libc < 6.1.3.2)

No auth needed

Prerequisites: Access to a vulnerable AIX system · Presence of a setuid-root binary linked to libC.a or libc.a

MITRE ATT&CK