Secunia Security Advisory - Some vulnerabilities have been reported in Ingres, which can be exploited by malicious, local users to gain escalated privileges.
e2cd74476f29a23acd609161bc100d23a414db52b9ccd44bfcd931c08e449555
----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Ingres Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31357
VERIFY ADVISORY:
http://secunia.com/advisories/31357/
CRITICAL:
Less critical
IMPACT:
Privilege escalation
WHERE:
Local system
SOFTWARE:
Ingres 2.x
http://secunia.com/product/14576/
Ingres 2006 (9.x)
http://secunia.com/product/14574/
DESCRIPTION:
Some vulnerabilities have been reported in Ingres, which can be
exploited by malicious, local users to gain escalated privileges.
1) An error exists in the "verifydb" utility due to improperly
changing permissions on files and having the setuid-bit set (owned by
the "ingres" user). This can be exploited to gain write access to
files owned by the Ingres database user via symlink attacks.
This vulnerability affects all platforms except VMS and Windows.
2) A boundary error exists within the "libbecompat" library that is
used by several of the setuid "ingres" utilities. This can be
exploited to cause a stack-based buffer overflow e.g. via a specially
crafted environmental variable.
Successful exploitation allows execution of arbitrary code with
privileges of the "ingres" user.
3) An error exists within the "ingvalidpw" utility due to being
setuid "root" and loading shared libraries from a directory owned by
the "ingres" user. This can be exploited by an "ingres" user to
execute arbitrary code with with "root" privileges.
Vulnerabilities #2 and #3 only affect Linux and HP platforms.
The vulnerabilities are reported in Ingres 2006 release 2 (9.1.0),
Ingres 2006 release 1 (9.0.4), and Ingres 2.6.
SOLUTION:
The vendor has issued fixes. Please see the knowledge base document
(customer login required).
http://servicedesk.ingres.com/CAisd/pdmweb.ingres?OP=SHOW_DETAIL+PERSID=KD:416012+HTMPL=kt_document_view.htmpl
PROVIDED AND/OR DISCOVERED BY:
An anonymous researcher, reported via iDefense.
ORIGINAL ADVISORY:
Ingres:
http://www.ingres.com/support/security-alert-080108.php
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=732
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=733
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------