Re: L0pht Advisory - Rational Software ClearCase root exploitable

From: Oezguer Kesim (Oec.Kesimat_private)
Date: Tue Feb 09 1999 - 08:57:27 PST

Next message: Jim Paris: "Re: Microsoft Access 97 Stores Database Password as Plaintext"

Previous message: Flavio Veloso: "Re: NOBO denial of service"
Maybe in reply to: Dr. Mudge: "L0pht Advisory - Rational Software ClearCase root exploitable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Holla,

things are even worse!  You may want to remove the setuid flag from
/usr/atria/etc/db_loader, _but_ this won't fix the problem -- just the exploit
given by Dr. Mudge.  Let me elaborate:

1.  Observation:
================

If we make a
	
	# /usr/atria/bin/cleartool mkvob -tag /tmp/foo /tmp/foo.vbs

you'll notice that
	
	# ls -l /tmp/foo.vbs/db/db_dumper

results
	
	-r-sr-xr-x   1 root     root      1526912 Jan 21  1998 db_dumper

2.  Observation:
================

While using the above command (cleartool mkvob ...) see what albd_server
actually makes:
	
	# ps -A | grep albd
	188 ?	0:08 albd_ser

Now, if you read the output of

	truss -f -p 188

when the above command is used, you'll notice the following:
	
	...
	
	188:    fork()                                          = 14311
	14311:  fork()          (returning as child ...)        = 188
	...

	14311:  execve("/usr/atria/etc/db_server", 0xEFFFED9C, 0xEFFFFF24)  argc = 3
	...

	14311:  stat("/usr/atria/etc/db_dumper", 0xEFFFE110)    = 0
	14311:  access("/tmp/foo.vbs/db/db_dumper", 0)        Err#2 ENOENT
	14311:  open("/usr/atria/etc/db_dumper", O_RDONLY)      = 14
	14311:  open("/tmp/foo.vbs/db/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 15
	14311:  read(14, "7F E L F010201\0\0\0\0\0".., 65536)   = 65536
	14311:  write(15, "7F E L F010201\0\0\0\0\0".., 65536)  = 65536
	...

	14311:  utime("/tmp/foo.vbs/db/db_dumper", 0xEFFFD400) = 0
	14311:  stat("/tmp/foo.vbs/db/db_dumper", 0xEFFFE438) = 0
	14311:  chmod("/tmp/foo.vbs/db/db_dumper", 0104555)   = 0

In other words _exactly the same code as before_ !!  But this time in
/usr/atria/etc/db_server and called by the daemon albd_server running under
uid root.

Therefore, you can use the exploit by l0pht after small modifiactions, _even_
if you remove the setuid flag of /usr/atria/etc/db_loader .

3.  Observation:
================

	# ldd /usr/atria/etc/db_server
	libatriadb.so =>         /usr/atria/shlib/libatriadb.so

	# strings /usr/atria/shlib/libatriadb.so | grep db_dumper
	db_dumper

Most probably the whole code is written in here...

cheers,
  oec

--
Oezguer Kesim       |
Unix Support        |  Email: Oec.Kesimat_private
Alcatel SEL Berlin  |

Next message: Jim Paris: "Re: Microsoft Access 97 Stores Database Password as Plaintext"
Previous message: Flavio Veloso: "Re: NOBO denial of service"
Maybe in reply to: Dr. Mudge: "L0pht Advisory - Rational Software ClearCase root exploitable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:22 PDT