[UNIX] Borland Interbase Administrative Access Vulnerability (admin.ib)
From: SecuriTeam (support_at_securiteam.com)
Date: 03/23/04
- Previous message: SecuriTeam: "[EXPL] Eudora Attachment Spoof Exploit Revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 23 Mar 2004 20:48:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Borland Interbase Administrative Access Vulnerability (admin.ib)
------------------------------------------------------------------------
SUMMARY
"Borland <http://www.borland.com/interbase/> Interbase is a small, high
performance commercial database for Linux, Solaris, and Windows operating
systems."
A file permission problem exists that makes it trivial for a local
unprivileged user to gain administrative access rights to the database.
DETAILS
Vulnerable Systems:
* Borland Interbase version 7.1 for Linux
The vulnerability exists due to incorrect file permissions for the
admin.ib user database file. Local attackers can add or modify existing
accounts to gain administrative privileges which otherwise would be
possible for the administrator alone. The out of the box file permissions
are shown below:
# ls -l /opt/interbase/admin.ib
-rw-rw-rw- 1 root root 616497 Dec 30 11:17 /opt/interbase/admin.ib
It is clear that any user can access and modify this file thereby having
the ability to create and modify accounts. Successful exploitation yields
administrative privileges over the database for local users.
Workaround
Remove global write permissions from the admin.ib user database file, like
so:
# chmod 664 /opt/interbase/admin.ib
# ls -l /opt/interbase/admin.ib
-rw-rw-r-- 1 root root 616497 Dec 30 11:17 /opt/interbase/admin.ib
Disclosure Timeline
January 13, 2004 Vulnerability acquired by iDEFENSE
February 9, 2004 Initial vendor notification sent - no response
February 12, 2004 iDEFENSE clients notified
March 1, 2004 Secondary vendor notification sent - no response
March 19, 2004 Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Eudora Attachment Spoof Exploit Revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
