Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Informix SE-7.25 /lib/sqlexec Vulnerability

From: <pask () cmlc upv es>
Date: Thu, 30 May 2002 01:32:51 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----





 Title:    Local Vulnerability in Informix SE-7.25
 Date:     21-04-2002
 Platform: Only tested in Linux but can be exported to others.
 Impact:   Users with exec perm over /lib/sqlexec can obtain euid=0 
 Author:   Juan Manuel Pascual Escriba <pask () uninet edu>
 Status:   Vendor contacted details below.


PROBLEM SUMMARY:

    Buffer overflow exists if INFORMIXDIR enviroment variable is defined
with a size greater than 2023 bytes

[pask@dimoni lib]$ ls -FAlsc
total 2588
   4 drwxrwxr-x    2 informix informix     4096 May 28 22:50 boom/
1484 -rwsr-sr-x    1 root     informix  1515480 Apr 20 22:09 sqlexec*
 504 -rwxr-xr-x    1 informix informix   510283 Apr 20 22:09 sqlexecd*
 596 -rwxr-xr-x    1 informix informix   606041 Apr 20 22:09 sqlrm*

[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2023'` 
[pask@dimoni lib]$ ./sqlexec
[pask@dimoni lib]$ export INFORMIXDIR=`perl -e 'print "A"x2024'`
[pask@dimoni lib]$ ./sqlexec
Segmentation fault

[pask@dimoni lib]$ gdb ./sqlexec
(gdb) r
Starting program: /home/informix/SE-7.25/lib/./sqlexec
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
(gdb) info registers
...
esp            0x3fffed08       0x3fffed08
ebp            0x41414141       0x41414141
esi            0x3fffedf9       1073737209
edi            0x8191571        135861617
eip            0x41414141       0x41414141
...


IMPACT:
    Users with exec perm over /lib/sqlexec can obtain euid=0 
in a standard installation of Informix SE-7.25


EXPLOIT
    Will be available when IBM develops a patch.


STATUS
    At 21th April i tried to contact with IBM through 
http://www.ibm.com/contact,i received a quick answer 
telling me that i can email moreinfo () informix com for 
report this vulnerability. This email address dont exist 
or is misconfigured (i received the message returned).

   At 28th May i tried to contact with IBM through 
askibm () vnet ibm com, they answer the email telling me 
"to call to Main support Line and choose option 3 to speak 
customer service representative who will be happy to assist 
me". 

I'm sorry but im not happy to pay an international call bill.
and im not a customer.


   Status of this advisory would be checked at:
        http://concepcion.upv.es/~pask/advisories


- --------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba            pask () uninet edu






- -- 






                   "In god We Trust, Others We monitor"

        ----------------------------------------------------------
                        Juan Manuel Pascual Escriba
                     Midnight Systems & Security Manager
           PGP PubKey http://concepcion.upv.es/~pask/publica.pgp
        ----------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBPPVlKDX3KWOaq4SJAQETqwf8DpQ8el1tEt/M8JA7r1xgzZdTPqrEVpRD
besDoryOU5xSRY1waGKILxqhm9G7/81+YGjhYLBB+KRkKTqK2LjWgrmu6/SyHLXW
hSJEoT4JjMT2rsJ1THNt8pglmqeMwAd8ncXZpSodWqByieQ6ly6uI1IcTSFViuAh
cvpc4Pk8zORELtNmFfnNRz93dEEnWo19odX7cx0tutqJUjosI0VfCX9kKs2iRjmM
5Fj1sGsTl1AHqcdJTmOzFQieA8ywFdS8vnEBuK6jqIHFc1Gn7e5c00K6Fu7ZFsZq
erx8tg7F93myY0wpq5AsYiiepgWUqLMyaeb1hjRiTn/X4F5eVHbtmg==
=4P/J
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: