AIX 3.* Bugfiler Vulnerability

vendor:

Bugfiler

by:

SecurityFocus

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: Bugfiler

Affected Version From: AIX 3.*

Affected Version To: AIX 3.*

Patch Exists: No

Related CWE: N/A

CPE: aix:bugfiler

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: AIX

2002

AIX 3.* Bugfiler Vulnerability

A vulnerability exists in AIX 3.* versions of bugfiler, a utility which automates the process of reporting an filing system bugs. Bugfiler, installed setuid root, creates files in a directory specified by the user invoking the program (example: $/lib/bugfiler -b <user> directory>). It may be possible for an attacker to create files in arbitrary directories that are owned by attacker-specified users. This may result in an elevation of privileges for the attacker.

Mitigation:

Ensure that the bugfiler utility is not installed with setuid root privileges.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1800/info

A vulnerability exists in AIX 3.* versions of bugfiler, a utility which automates the process of reporting an filing system bugs. Bugfiler, installed setuid root, creates files in a directory specified by the user invoking the program (example: $/lib/bugfiler -b <user> directory>). It may be possible for an attacker to create files in arbitrary directories that are owned by attacker-specified users. This may result in an elevation of privileges for the attacker. Further technical details about this vulnerability are not known.

$whoami eviluser 
$/lib/bugfiler -b <user> <directory> creates funny files under the <user>-owned <directory> and that may be used by crackers to increase privileges. See the manpage of bugfiler for more information. (bugfiler does not work for some <user>s)