clearcase2.txt

1999-08-17T00:00:00
ID PACKETSTORM:12207
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Tue, 9 Feb 1999 17:57:27 +0100  
From: Oezguer Kesim <Oec.Kesim@ALCATEL.DE>  
To: BUGTRAQ@netspace.org  
Subject: Re: L0pht Advisory - Rational Software ClearCase root exploitable race conditions  
  
Holla,  
  
things are even worse! You may want to remove the setuid flag from  
/usr/atria/etc/db_loader, _but_ this won't fix the problem -- just the exploit  
given by Dr. Mudge. Let me elaborate:  
  
1. Observation:  
================  
  
If we make a  
  
# /usr/atria/bin/cleartool mkvob -tag /tmp/foo /tmp/foo.vbs  
  
you'll notice that  
  
# ls -l /tmp/foo.vbs/db/db_dumper  
  
results  
  
-r-sr-xr-x 1 root root 1526912 Jan 21 1998 db_dumper  
  
2. Observation:  
================  
  
While using the above command (cleartool mkvob ...) see what albd_server  
actually makes:  
  
# ps -A | grep albd  
188 ? 0:08 albd_ser  
  
Now, if you read the output of  
  
truss -f -p 188  
  
when the above command is used, you'll notice the following:  
  
...  
  
188: fork() = 14311  
14311: fork() (returning as child ...) = 188  
...  
  
14311: execve("/usr/atria/etc/db_server", 0xEFFFED9C, 0xEFFFFF24) argc = 3  
...  
  
14311: stat("/usr/atria/etc/db_dumper", 0xEFFFE110) = 0  
14311: access("/tmp/foo.vbs/db/db_dumper", 0) Err#2 ENOENT  
14311: open("/usr/atria/etc/db_dumper", O_RDONLY) = 14  
14311: open("/tmp/foo.vbs/db/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 15  
14311: read(14, "7F E L F010201\0\0\0\0\0".., 65536) = 65536  
14311: write(15, "7F E L F010201\0\0\0\0\0".., 65536) = 65536  
...  
  
14311: utime("/tmp/foo.vbs/db/db_dumper", 0xEFFFD400) = 0  
14311: stat("/tmp/foo.vbs/db/db_dumper", 0xEFFFE438) = 0  
14311: chmod("/tmp/foo.vbs/db/db_dumper", 0104555) = 0  
  
In other words _exactly the same code as before_ !! But this time in  
/usr/atria/etc/db_server and called by the daemon albd_server running under  
uid root.  
  
Therefore, you can use the exploit by l0pht after small modifiactions, _even_  
if you remove the setuid flag of /usr/atria/etc/db_loader .  
  
3. Observation:  
================  
  
# ldd /usr/atria/etc/db_server  
libatriadb.so => /usr/atria/shlib/libatriadb.so  
  
# strings /usr/atria/shlib/libatriadb.so | grep db_dumper  
db_dumper  
  
Most probably the whole code is written in here...  
  
cheers,  
oec  
  
--  
Oezguer Kesim |  
Unix Support | Email: Oec.Kesim@alcatel.de  
Alcatel SEL Berlin |  
  
`