107833 2003-07-17 01:35 /7 rader/ KF <dotslash@snosoft.com> Importerad: 2003-07-17 01:35 av Brevbäraren Extern mottagare: bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <5610> Ärende: SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows ------------------------------------------------------------ Thanks to IBM for being so receptive with these issues. For those of you that have requested we revive the old "Snosoft" advisories we have begun placing our legacy advisories at http://www.secnetops.biz as time permits. -KF (107833) /KF <dotslash@snosoft.com>/---------------- Bilaga (text/plain) i text 107834 107834 2003-07-17 01:35 /91 rader/ KF <dotslash@snosoft.com> Bilagans filnamn: "SRT2003-07-08-1223.txt" Importerad: 2003-07-17 01:35 av Brevbäraren Extern mottagare: bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <5611> Bilaga (text/plain) till text 107833 Ärende: Bilaga (SRT2003-07-08-1223.txt) till: SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows ------------------------------------------------------------ Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-07-08-1223 Product : IBM U2 UniVerse Version : Version <= 10.0.0.9 ? Vendor : http://ibm.com/software/data/u2/universe/ Class : local Criticality : High (to UniVerse servers with local users) Operating System(s) : Only confirmed on Linux (other unix based?) High Level Explanation ************************************************************************ High Level Description : uvadm can take root via buffer overflows What to do : chmod -s /usr/ibm/uv/bin/uvadmsh Technical Details ************************************************************************ Proof Of Concept Status : SNO does have Poc code Low Level Description : UniVerse is an extended relational database designed for embedding in vertical applications. Its nested relational data model results in intuitive data modeling and fewer resulting tables. UniVerse provides data access, storage and management capabilities across Microsoft® Windows® NT, Linux and UNIplatform. The uvadm user may exploit a buffer overflow in the uvadmsh binary to take root. There is a buffer overflow when processing command line arguments. Please note that without the -uv.install argument this issue is NOT exploitable however the overflow still occurs. (gdb) r -uv.install `perl -e 'print "Z" x 546'` Starting program: uvadmsh -uv.install `perl -e 'print "Z" x 546'` error Program received signal SIGSEGV, Segmentation fault. 0x5a5a5a5a in ?? () (gdb) bt #0 0x5a5a5a5a in ?? () Cannot access memory at address 0x5a5a5a5a You must have uvadm rights in order to exploit this issue. The creation and use of the Unix user 'uvadm' is optional for UniVerse. It is not required for the successfull installation, configuration and administration of UniVerse. The intended use of uvadm is to allow a selected, specific non-root user to perform all aspects of UniVerse administration. [uvadm@vegeta tmp]$ id uid=503(uvadm) gid=503(uvadm) groups=503(uvadm) [uvadm@vegeta tmp]$ ./uvadm_root.pl error sh-2.05b# id uid=0(root) gid=503(uvadm) groups=503(uvadm) Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvadmsh Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user to perform all of the uvadmsh functions. Vendor Status : The IBM U2 staff will have this issue resolved in a future release of IBM U2. Patches may also be supplied on a per client basis at IBM's disgression. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information. (107834) /KF <dotslash@snosoft.com>/------(Ombruten)