[UNIX] IBM U2 UniVerse UVADM Can Take Root via Buffer Overflows

From: SecuriTeam (support_at_securiteam.com)
Date: 07/17/03

  • Next message: SecuriTeam: "[NT] ISA Server - Error Page Cross-Site Scripting (Additional Details)" 
    To: list@securiteam.com
Date: 17 Jul 2003 20:10:00 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      IBM U2 UniVerse UVADM Can Take Root via Buffer Overflows
    ------------------------------------------------------------------------

    SUMMARY

     <http://ibm.com/software/data/u2/universe/> UniVerse is "an extended
    relational database designed for embedding in vertical applications. Its
    nested relational data model results in intuitive data modeling and fewer
    resulting tables. UniVerse provides data access, storage and management
    capabilities across Microsoft Windows NT, Linux, and UNIplatform".

    The uvadm user may exploit a buffer overflow in the uvadmsh binary to take
    root. There is a buffer overflow when processing command line arguments.
    Please note that without the -uv.install argument this issue is NOT
    exploitable however the overflow still occurs.

    DETAILS

    Vulnerable systems:
     * IBM U2 UniVerse version 10.0.0.9 and prior

    Example:
    (gdb) r -uv.install `perl -e 'print "Z" x 546'`
    Starting program: uvadmsh -uv.install `perl -e 'print "Z" x 546'`
    error

    Program received signal SIGSEGV, Segmentation fault.
    0x5a5a5a5a in ?? ()
    (gdb) bt
    #0 0x5a5a5a5a in ?? ()
    Cannot access memory at address 0x5a5a5a5a

    You must have uvadm rights in order to exploit this issue. The creation
    and use of the UNIX user 'uvadm' is optional for UniVerse. It is not
    required for the successful installation, configuration, and
    administration of UniVerse. The intended use of uvadm is to allow a
    selected, specific non-root user to perform all aspects of UniVerse
    administration.

    Workaround:
    Run the following command:
    #chmod -s /usr/ibm/uv/bin/uvadmsh

    Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user
    to perform all of the uvadmsh functions.

    Vendor status:
    The IBM U2 staff will resolve this issue in a future release of IBM U2.
    Patches will be supplied on a per client basis at IBM's discretion.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dotslash@snosoft.com> KF.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] ISA Server - Error Page Cross-Site Scripting (Additional Details)"

    Relevant Pages