[NEWS] Interbase ISC_LOCK_ENV Overflow
From: support@securiteam.com
Date: 04/21/03
- Previous message: support@securiteam.com: "[UNIX] ChiTeX Local Root Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 21 Apr 2003 19:23:04 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Interbase ISC_LOCK_ENV Overflow
------------------------------------------------------------------------
SUMMARY
The Interbase gds_lock_mgr checks for the ISC_LOCK_ENV upon init. This
variable has been defined as "INTERBASE_LOCK". If the ISC_LOCK_ENV is over
1024 chars in length, a segfault will occur. Secure Network Operations
have successfully exploited this issue and have been able to run their own
shellcode.
DETAILS
The problem lies in one of many strcat() calls in gds.c:
/common.h:#define MAXPATHLEN 1024
/gds.c:714:#define ISC_LOCK_ENV "INTERBASE_LOCK"
/gds.c:425:static char ib_prefix_lock_val[MAXPATHLEN];
void API_ROUTINE gds__prefix_lock (
TEXT *string,
TEXT *root)
/********************************************************
*
* g d s _ $ p r e f i x _ l o c k ( n o n - V M S )
*
********************************************************
*
* Functional description
* Find appropriate InterBase lock file prefix.
* Override conditional defines with the enviroment
* variable INTERBASE_LOCK if it is set.
*
**************************************/
string [0] = 0;
if (ib_prefix_lock == NULL)
{
if (!(ib_prefix_lock = getenv (ISC_LOCK_ENV)))
{
ib_prefix_lock = ib_prefix_lock_val;
gds__prefix(ib_prefix_lock, "");
}
else
{
strcat (ib_prefix_lock_val, ib_prefix_lock); // PROBLEM HERE
ib_prefix_lock = ib_prefix_lock_val;
}
}
During exploit development, Secure Network Operations ran into one
setback. The result was the lack of an interactive shell. Secure Network
Operations instead run a program of in /tmp.
[elguapo@rh8 tmp]$ cat sh.c
main(){setuid(0);setgid(0);system("/usr/bin/id > /tmp/SNO");}
[elguapo@rh8 tmp]$ cc -o sh sh.c
[elguapo@rh8 tmp]$ id
uid=500(elguapo) gid=500(elguapo) groups=500(elguapo)
[elguapo@rh8 tmp]$ ls -al ./gds_lock_mgr
-rwsr-sr-x 1 root root 116723 Nov 26 20:31 ./gds_lock_mgr
[elguapo@rh8 tmp]$ ./gds_lock_mgr_ex.pl
[elguapo@rh8 tmp]$ cat SNO
uid=0(root) gid=0(root) groups=500(elguapo)
Patch or Workaround:
chmod -s /path/to/gds_lock_mgr
Or edit the above mentioned strcat() call in gds__prefix_lock() from
/gds.c to make use of strncat().
strncat (ib_prefix_lock_val, ib_prefix_lock,
sizeof(ib_prefix_lock_val)-1);
Vendor Status:
Borland was emailed several months ago. As with previous security contact
to Borland, no response was provided by the vendor.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dotslash@snosoft.com> KF.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] ChiTeX Local Root Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
