Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormStrategic Reconnaissance TeamPACKETSTORM:31369
HistoryJul 17, 2003 - 12:00 a.m.

SRT2003-07-07-0913.txt

2003-07-1700:00:00
Strategic Reconnaissance Team
packetstormsecurity.com
28
JSON
`Secure Network Operations, Inc. http://www.secnetops.com  
Strategic Reconnaissance Team [email protected]  
Team Lead Contact [email protected]  
  
  
Our Mission:  
************************************************************************  
Secure Network Operations offers expertise in Networking, Intrusion   
Detection Systems (IDS), Software Security Validation, and   
Corporate/Private Network Security. Our mission is to facilitate a   
secure and reliable Internet and inter-enterprise communications   
infrastructure through the products and services we offer.   
  
  
Quick Summary:  
************************************************************************  
Advisory Number : SRT2003-07-07-0913  
Product : IBM U2 UniVerse  
Version : Version <= 10.0.0.9 ?  
Vendor : http://ibm.com/software/data/u2/universe/  
Class : local  
Criticality : Low   
Operating System(s) : Only confirmed on Linux (other unix based?)  
  
  
High Level Explanation  
************************************************************************  
High Level Description : Abnormal suid behavior in several applications  
What to do : chmod -s /usr/ibm/uv/bin/uvrestore  
chmod -s /usr/ibm/uv/bin/setacc  
  
  
Technical Details  
************************************************************************  
Proof Of Concept Status : No PoC necessary  
Low Level Description :   
  
UniVerse is an extended relational database designed for embedding in   
vertical applications. Its nested relational data model results in   
intuitive data modeling and fewer resulting tables. UniVerse provides   
data access, storage and management capabilities across Microsoft®  
Windows® NT, Linux and UNIplatform.  
  
Several several binaries have odd behavior including core dumps and   
changing permissions on device files.   
  
The intent of the below gdb and strace dumps is only to show why we   
feel these issues are difficult to exploit on linux. We do not feel   
that we are disclosing Intellectual Property in any way. No anti   
debug routines are enforced by the below applications. The point is   
to show what calls are causing the problem. The result could vary on   
a different unix platform or processor.   
  
uvrestore suffers from a command line overflow:  
  
(gdb) r `perl -e 'print "A" x 6000'`  
Starting program: uvrestore `perl -e 'print "A" x 6000'`  
Program received signal SIGSEGV, Segmentation fault.  
0x0805e81a in basename ()  
(gdb) bt  
#0 0x0805e81a in basename ()  
#1 0x080619b3 in basename ()  
#2 0x42015574 in libc_start_main () from /lib/tls/libc.so.6  
(gdb) i r  
eax 0x41414141 1094795585  
  
...  
[0805e6ec] strcmp("AAAAAAAAAAAAAAAAAAAAAAAAA"..., "-noindexfix") = 1  
[0805e771] strcmp("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., "-") = 1  
[0805e7f3] strcpy(0x083b7d00, "AAAAAAAAAAAAAAAAAAA"...) = 0x083b7d00  
[0805e815] strcpy(0x083b9100, "AAAAAAAAAAAAAAAAAAA"...) = 0x083b9100  
[0805e81a] --- SIGSEGV (Segmentation fault) ---   
  
uvsetacc does a chmod based on ttyname() results:   
  
[root@vegeta bin]# ltrace ./uvsetacc 2557  
ttyname(1) = "/dev/pts/1"  
chmod("/dev/pts/1", 04775) = 0  
  
[kf@vegeta kf]$ ls -al /dev/pts/1  
crw------- 1 kf tty 136, 1 Jul 7 21:40 /dev/pts/1  
[kf@vegeta kf]$ /usr/ibm/uv/bin/uvsetacc 2557  
[kf@vegeta kf]$ ls -al /dev/pts/1  
crwsrwxr-x 1 kf tty 136, 1 Jul 7 21:41 /dev/pts/1  
  
--- farfetched - disgruntled helpdesk worker attack scenario ---  
  
Helpdesk phone *ring*...  
uvadm-> hello  
boss-> my universe program xyz is acting weird  
  
uvadm finds boss's tty. *grin*  
kf pts/1 - 9:42pm 1:02 0.16s 0.16s /bin/bash  
  
[uvadm@vegeta uvadm]$ id  
uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)  
[uvadm@vegeta uvadm]$ cat /dev/pts/1  
cat: /dev/pts/1: Permission denied  
  
uvadm-> hrmm try typing this and lets see what happens...   
"/usr/ibm/uv/bin/uvsetacc 2559"  
boss-> ok I typed it... now what?   
uvadm-> do you see the password prompt?  
  
[uvadm@vegeta uvadm]$ ls -al /dev/pts/1  
crwsrwxrwx 1 kf tty 136, 1 Jul 7 21:48 /dev/pts/1  
[uvadm@vegeta uvadm]$ echo Enter Your Universe Password: >> /dev/pts/1  
  
boss-> oh yeah hold on let me type the password in.   
...  
  
In order to exploit the uvsetacc behvior, you must be logged in as user   
uvadm. The creation and use of the Unix user 'uvadm' is optional for   
UniVerse. It is not required for the successfull installation, configuration   
and administration of UniVerse. The intended use of uvadm is to allow a   
selected, specific non-root user to perform all aspects of UniVerse   
administration.  
  
Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvrestore  
chmod -s /usr/ibm/uv/bin/setacc  
  
Vendor Status : The IBM U2 staff will have this issue resolved   
in a future release of IBM U2. Patches may also be supplied on a per   
client basis at IBM's disgression.   
  
Bugtraq URL : to be assigned  
  
------------------------------------------------------------------------  
This advisory was released by Secure Network Operations,Inc. as a matter  
of notification to help administrators protect their networks against  
the described vulnerability. Exploit source code is no longer released  
in our advisories. Contact [email protected] for information on how  
to obtain exploit information.  
  
  
`
JSON