Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

clearcase2.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 54 Views

Critical vulnerabilities in Rational Software ClearCase expose root by exploiting race conditions.

Code
`Date: Tue, 9 Feb 1999 17:57:27 +0100  
From: Oezguer Kesim <[email protected]>  
To: [email protected]  
Subject: Re: L0pht Advisory - Rational Software ClearCase root exploitable race conditions  
  
Holla,  
  
things are even worse! You may want to remove the setuid flag from  
/usr/atria/etc/db_loader, _but_ this won't fix the problem -- just the exploit  
given by Dr. Mudge. Let me elaborate:  
  
1. Observation:  
================  
  
If we make a  
  
# /usr/atria/bin/cleartool mkvob -tag /tmp/foo /tmp/foo.vbs  
  
you'll notice that  
  
# ls -l /tmp/foo.vbs/db/db_dumper  
  
results  
  
-r-sr-xr-x 1 root root 1526912 Jan 21 1998 db_dumper  
  
2. Observation:  
================  
  
While using the above command (cleartool mkvob ...) see what albd_server  
actually makes:  
  
# ps -A | grep albd  
188 ? 0:08 albd_ser  
  
Now, if you read the output of  
  
truss -f -p 188  
  
when the above command is used, you'll notice the following:  
  
...  
  
188: fork() = 14311  
14311: fork() (returning as child ...) = 188  
...  
  
14311: execve("/usr/atria/etc/db_server", 0xEFFFED9C, 0xEFFFFF24) argc = 3  
...  
  
14311: stat("/usr/atria/etc/db_dumper", 0xEFFFE110) = 0  
14311: access("/tmp/foo.vbs/db/db_dumper", 0) Err#2 ENOENT  
14311: open("/usr/atria/etc/db_dumper", O_RDONLY) = 14  
14311: open("/tmp/foo.vbs/db/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 15  
14311: read(14, "7F E L F010201\0\0\0\0\0".., 65536) = 65536  
14311: write(15, "7F E L F010201\0\0\0\0\0".., 65536) = 65536  
...  
  
14311: utime("/tmp/foo.vbs/db/db_dumper", 0xEFFFD400) = 0  
14311: stat("/tmp/foo.vbs/db/db_dumper", 0xEFFFE438) = 0  
14311: chmod("/tmp/foo.vbs/db/db_dumper", 0104555) = 0  
  
In other words _exactly the same code as before_ !! But this time in  
/usr/atria/etc/db_server and called by the daemon albd_server running under  
uid root.  
  
Therefore, you can use the exploit by l0pht after small modifiactions, _even_  
if you remove the setuid flag of /usr/atria/etc/db_loader .  
  
3. Observation:  
================  
  
# ldd /usr/atria/etc/db_server  
libatriadb.so => /usr/atria/shlib/libatriadb.so  
  
# strings /usr/atria/shlib/libatriadb.so | grep db_dumper  
db_dumper  
  
Most probably the whole code is written in here...  
  
cheers,  
oec  
  
--  
Oezguer Kesim |  
Unix Support | Email: [email protected]  
Alcatel SEL Berlin |  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
rational softwareclearcase vulnerabilitiesroot exploitrace conditionssetuid flagalbd server.
54