CVE-2013-4011

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-4011. PoCs published by Metasploit, Kristian Erik Hermansen, including Metasploit module exploits/aix/local/ibstat_path.

AI-analyzed exploit summary This Metasploit module exploits a trusted $PATH environment variable vulnerability in the SUID binary 'ibstat' on IBM AIX systems to escalate privileges to root. It creates a malicious 'arp' script and a SUID root shell binary to gain elevated access.

Description

Multiple unspecified vulnerabilities in the InfiniBand subsystem in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, allow local users to gain privileges via vectors involving (1) arp.ib or (2) ibstat.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/32700

View Code ZIP pw:eip

This Metasploit module exploits a trusted $PATH environment variable vulnerability in the SUID binary 'ibstat' on IBM AIX systems to escalate privileges to root. It creates a malicious 'arp' script and a SUID root shell binary to gain elevated access.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: IBM AIX Version 6.1, 7.1

No auth needed

Prerequisites: Write access to a directory (e.g., /tmp) · Presence of vulnerable 'ibstat' binary with SUID bit set

MITRE ATT&CK

T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Kristian Erik Hermansen · bashlocalaix

https://www.exploit-db.com/exploits/28507

View Code ZIP pw:eip

This exploit leverages a vulnerability in IBM AIX's ibstat command to escalate privileges to root by manipulating the PATH environment variable to execute a malicious script. The script copies /bin/sh to a temporary location and sets the SUID bit, granting root access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: IBM AIX 6.1, 7.1, and VIOS 2.2.2.2-FP-26 SP-02

Auth required

Prerequisites: Local access to the target system · Presence of vulnerable ibstat command

MITRE ATT&CK

T1548.001 - Setuid and Setgid T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Kristian Erik Hermansen · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/aix/local/ibstat_path.rb

View Code ZIP pw:eip

This Metasploit module exploits a trusted $PATH environment variable vulnerability in the SUID binary 'ibstat' on IBM AIX systems. It manipulates the PATH to execute a malicious 'arp' script, which then sets the SUID bit on a custom binary to escalate privileges to root.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: IBM AIX Version 6.1, 7.1

No auth needed

Prerequisites: Access to a vulnerable IBM AIX system with 'ibstat' SUID binary · Write permissions in a directory included in PATH

MITRE ATT&CK