NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2004-01

----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------

paskopen3s.com
Date: Thu Jan 29 2004 - 03:19:58 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------

Title: Local Vulnerability at Informix IDSv9.40 via ontape binary
Date: 08-08-2003
Platform: Only tested in Linux but can be exported to others.
Impact: Any user with DSA privileges over Informix could achieve root
privileges through a stack buffer overflow in ontape binary
Author: Juan Manuel Pascual Escriba paskopen3s.com
Status: Solved by IBM Corp.

PROBLEM SUMMARY:

Stack Buffer overflow exists in ONCONFIG environment variable read
process when it's bigger than 495 bytes.

[informixdimoni bin]$ export ONCONFIG=`perl -e 'print "A"x495'`
[informixdimoni bin]$ ./ontape
WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
Segmentation fault

[paskdimoniet bin]$ gdb ./ontape
(gdb) r
WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
Segmentation fault

(gdb) info reg
eax 0xffffffff -1
ecx 0x40083580 1074279808
edx 0x46 70
ebx 0x1 1
esp 0xbfff74a0 0xbfff74a0
ebp 0x41414141 0x41414141
esi 0xbfff74cc -1073777460
edi 0x0 0
eip 0x41414141 0x41414141

It's posible to achieve root privileges through this buffer overflow.

IMPACT:
Any user with exec permision over ontape could achieve root
privileges. In my default installation only users with DSA privileges
can exec this binary.

SOLUTION:

See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336

STATUS

Reported to IBM security team at 11th of August 2003

See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336

This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.

EXPLOIT
http://www.open3s.com/exploits/OPEN3S-2003-08-08-eng-informix-ontape.c

--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba paskopen3s.com
Barcelona - Spain http://www.open3s.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]