Preface

Have you ever seen privilege escalation in action on IBM i? In this post we show how techniques we already posted about could be used to discover and exploit a previously unknown vulnerability.

The IBM Facsimile Support for i was vulnerable to local privilege escalation - the vulnerabilities were discovered by us and an advisory was published by IBM on 2023.07.16. It seems that this even encouraged IBM to correct other privilege escalation vectors in this product.

Details

The QFAX/QFFSTRFCPP runs with *OWNER authority as QAUTPROF and calls the QFQSES *PGM based on the library list. An attacker is able set their own library list and thus make QFFSTRFCPP run their own, specially crafted QFQSES and execute code as QAUTPROF.

The QAUTPROF profile has *USE authority on the powerful QFAXMSF profile, thus simple profile switching/swapping is enough to gain *ALLOBJ privileges.

The following video demonstrates the QFAX/QFFSTRFCPP *PGM privilege escalation vulnerability. Although only a single CVE was issued, this is only one of the 7 reported vulnerabilities in Facsimile Support.

Of course, our iCompliant tool includes a detection case for each individual vulnerability covered by the advisory.

Additionally, with our Exclusive Vulnerability Feed, our customers can identify vulnerabilities based on our research even before the vendor releases the patch.

Timeline

• 2023.04.21 - Sent technical details to IBM PSIRT
• 2023.04.24 - IBM PSIRT assigned ADV0084103
• 2023.07.16 - IBM published Security Bulletin with CVE-2023-30988 assigned
• 2023.08.22 - Published technical details