Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Tue, 9 Feb 1999 17:57:27 +0100
From: Oezguer Kesim <[email protected]>
To: [email protected]
Subject: Re: L0pht Advisory - Rational Software ClearCase root exploitable race conditions

Holla,

things are even worse!  You may want to remove the setuid flag from
/usr/atria/etc/db_loader, _but_ this won't fix the problem -- just the exploit
given by Dr. Mudge.  Let me elaborate:

1.  Observation:
================

If we make a
	
	# /usr/atria/bin/cleartool mkvob -tag /tmp/foo /tmp/foo.vbs

you'll notice that
	
	# ls -l /tmp/foo.vbs/db/db_dumper

results
	
	-r-sr-xr-x   1 root     root      1526912 Jan 21  1998 db_dumper

2.  Observation:
================

While using the above command (cleartool mkvob ...) see what albd_server
actually makes:
	
	# ps -A | grep albd
	188 ?	0:08 albd_ser

Now, if you read the output of

	truss -f -p 188

when the above command is used, you'll notice the following:
	
	...
	
	188:    fork()                                          = 14311
	14311:  fork()          (returning as child ...)        = 188
	...

	14311:  execve("/usr/atria/etc/db_server", 0xEFFFED9C, 0xEFFFFF24)  argc = 3
	...

	14311:  stat("/usr/atria/etc/db_dumper", 0xEFFFE110)    = 0
	14311:  access("/tmp/foo.vbs/db/db_dumper", 0)        Err#2 ENOENT
	14311:  open("/usr/atria/etc/db_dumper", O_RDONLY)      = 14
	14311:  open("/tmp/foo.vbs/db/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 15
	14311:  read(14, "7F E L F010201\0\0\0\0\0".., 65536)   = 65536
	14311:  write(15, "7F E L F010201\0\0\0\0\0".., 65536)  = 65536
	...

	14311:  utime("/tmp/foo.vbs/db/db_dumper", 0xEFFFD400) = 0
	14311:  stat("/tmp/foo.vbs/db/db_dumper", 0xEFFFE438) = 0
	14311:  chmod("/tmp/foo.vbs/db/db_dumper", 0104555)   = 0

In other words _exactly the same code as before_ !!  But this time in
/usr/atria/etc/db_server and called by the daemon albd_server running under
uid root.

Therefore, you can use the exploit by l0pht after small modifiactions, _even_
if you remove the setuid flag of /usr/atria/etc/db_loader .

3.  Observation:
================

	# ldd /usr/atria/etc/db_server
	libatriadb.so =>         /usr/atria/shlib/libatriadb.so

	# strings /usr/atria/shlib/libatriadb.so | grep db_dumper
	db_dumper

Most probably the whole code is written in here...

cheers,
  oec

--
Oezguer Kesim       |
Unix Support        |  Email: [email protected]
Alcatel SEL Berlin  |

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: