Informix SE-7.25 /lib/sqlexec Vulnerability

From: paskat_private
Date: Wed May 29 2002 - 16:32:51 PDT

Next message: Steve Gustin: "CGIscript.net - csPassword.cgi - Multiple Vulnerabilities"

Previous message: Guy Van Sanden: "SECURITY vulnerability in ECS-K7S5A(L) boards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----





 Title:    Local Vulnerability in Informix SE-7.25
 Date:     21-04-2002
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over /lib/sqlexec can obtain euid=0 
 Author:   Juan Manuel Pascual Escriba <paskat_private>
 Status:   Vendor contacted details below.


PROBLEM SUMMARY:

    Buffer overflow exists if INFORMIXDIR enviroment variable is defined
with a size greater than 2023 bytes

[pask@dimoni lib]$ ls -FAlsc
total 2588
   4 drwxrwxr-x    2 informix informix     4096 May 28 22:50 boom/
1484 -rwsr-sr-x    1 root     informix  1515480 Apr 20 22:09 sqlexec*
 504 -rwxr-xr-x    1 informix informix   510283 Apr 20 22:09 sqlexecd*
 596 -rwxr-xr-x    1 informix informix   606041 Apr 20 22:09 sqlrm*

[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'` 
[pask@dimoni lib]$ ./sqlexec
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
[pask@dimoni lib]$ ./sqlexec
Segmentation fault

[pask@dimoni lib]$ gdb ./sqlexec
(gdb) r
Starting program: /home/informix/SE-7.25/lib/./sqlexec
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
(gdb) info registers
...
esp            0x3fffed08       0x3fffed08
ebp            0x41414141       0x41414141
esi            0x3fffedf9       1073737209
edi            0x8191571        135861617
eip            0x41414141       0x41414141
...


IMPACT:
    Users with exec perm over /lib/sqlexec can obtain euid=0 
in a standard installation of Informix SE-7.25


EXPLOIT
    Will be available when IBM develops a patch.


STATUS
    At 21th April i tried to contact with IBM through 
http://www.ibm.com/contact,i received a quick answer 
telling me that i can email moreinfoat_private for 
report this vulnerability. This email address dont exist 
or is misconfigured (i received the message returned).

   At 28th May i tried to contact with IBM through 
askibmat_private, they answer the email telling me 
"to call to Main support Line and choose option 3 to speak 
customer service representative who will be happy to assist 
me". 

I'm sorry but im not happy to pay an international call bill.
and im not a customer.


   Status of this advisory would be checked at:
	http://concepcion.upv.es/~pask/advisories


- --------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            paskat_private






- -- 






		   "In god We Trust, Others We monitor"

	----------------------------------------------------------
			Juan Manuel Pascual Escriba
		     Midnight Systems & Security Manager
    	   PGP PubKey http://concepcion.upv.es/~pask/publica.pgp
	----------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBPPVlKDX3KWOaq4SJAQETqwf8DpQ8el1tEt/M8JA7r1xgzZdTPqrEVpRD
besDoryOU5xSRY1waGKILxqhm9G7/81+YGjhYLBB+KRkKTqK2LjWgrmu6/SyHLXW
hSJEoT4JjMT2rsJ1THNt8pglmqeMwAd8ncXZpSodWqByieQ6ly6uI1IcTSFViuAh
cvpc4Pk8zORELtNmFfnNRz93dEEnWo19odX7cx0tutqJUjosI0VfCX9kKs2iRjmM
5Fj1sGsTl1AHqcdJTmOzFQieA8ywFdS8vnEBuK6jqIHFc1Gn7e5c00K6Fu7ZFsZq
erx8tg7F93myY0wpq5AsYiiepgWUqLMyaeb1hjRiTn/X4F5eVHbtmg==
=4P/J
-----END PGP SIGNATURE-----

Next message: Steve Gustin: "CGIscript.net - csPassword.cgi - Multiple Vulnerabilities"
Previous message: Guy Van Sanden: "SECURITY vulnerability in ECS-K7S5A(L) boards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 30 2002 - 11:05:40 PDT