Advisory #: 57
Title: IBM Informix File Clobbering during Install
Author: Larry W. Cashdollar, @_larry0
Date: 2006-10-01
CVE-ID:[CVE-2006-5163]
CWE:
Download Site: http://www14.software.ibm.com/webapp/download/preconfig.jsp?id=2013-03-26+02%3A55%3A11.385011R&S_TACT=&S_CMP=
Vendor: IBM
Vendor Notified: 2006-10-01
Vendor Contact:
Advisory: http://www.vapid.dhs.org/advisories/ibm_informix_dynamic_server_file_clobbber_during_install.html
Description: IBM Informix Dynamic Server (IDS) is a strategic data server in the IBM Information Management Software portfolio that provides blazing online transaction processing (OLTP) performance, legendary reliability, and nearly hands-free administration to businesses of all sizes. IDS 10 offers significant improvements in performance, availability, security, and manageability over previous versions, including patent-pending technology that virtually eliminates downtime and automates many of the tasks associated with deploying mission-critical enterprise systems.
Vulnerability:
During installation the installserver script creates a file in /tmp called installserver.txt an unprivileged user can symlink this file to another file causing the target file have the contents of installserver.txt appened to it. vapid:/tmp# ls -l /tmp/installserver.txt lrwxrwxrwx 1 lwc lwc 11 Oct 1 18:27 /tmp/installserver.txt -> /etc/passwd After installation the contents of installserver.txt was appened to /etc/passwd. The default file permissions of the installation package are too open, an unprivileged user can take advantage of an installation by a privileged user by injecting code into the installer script. nobody@vapid:/home/auditor/test$ ls -l total 273168 -rw-rw-rw- 1 root root 10328050 Aug 1 2005 Gls.rpm -rw-rw-rw- 1 32100 1360 5125418 Aug 1 2005 IIF.jar -rw-rw-rw- 1 root root 84374286 Aug 1 2005 IIFServer.rpm -rw-rw-rw- 1 root root 786557 Aug 1 2005 Message.rpm drwxrwxrwx 2 32100 1360 4096 Aug 1 2005 doc -rw-r--r-- 1 auditor auditor 140032000 Oct 1 18:21 iif.10.00.UC3R1TL.Linux.tar -rwxr-xr-x 1 32100 1360 4424 Aug 1 2005 install_rpm -rwxrwxrwx 1 32100 1360 38727685 Oct 1 18:46 installserver -rwxr-xr-x 1 32100 1360 5069 Aug 1 2005 server.ini
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
29349 29348