IBM Informix File Clobbering during Install

2018.10.03
us Larry W. Cashdollar (US) us
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2006-5163
CWE: CWE-Other


CVSS Base Score: 3.6/10
Impact Subscore: 4.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

Title: IBM Informix File Clobbering during Install Author: Larry W. Cashdollar, @_larry0 Date: 2006-10-01 CVE-ID:[CVE-2006-5163] Download Site: http://www14.software.ibm.com/webapp/download/preconfig.jsp?id=2013-03-26+02%3A55%3A11.385011R&S_TACT=&S_CMP= Vendor: IBM Vendor Notified: 2006-10-01 Vendor Contact: Advisory: http://www.vapid.dhs.org/advisories/ibm_informix_dynamic_server_file_clobbber_during_install.html Description: IBM Informix Dynamic Server (IDS) is a strategic data server in the IBM Information Management Software portfolio that provides blazing online transaction processing (OLTP) performance, legendary reliability, and nearly hands-free administration to businesses of all sizes. IDS 10 offers significant improvements in performance, availability, security, and manageability over previous versions, including patent-pending technology that virtually eliminates downtime and automates many of the tasks associated with deploying mission-critical enterprise systems. Vulnerability: During installation the installserver script creates a file in /tmp called installserver.txt an unprivileged user can symlink this file to another file causing the target file have the contents of installserver.txt appened to it. vapid:/tmp# ls -l /tmp/installserver.txt lrwxrwxrwx 1 lwc lwc 11 Oct 1 18:27 /tmp/installserver.txt -> /etc/passwd After installation the contents of installserver.txt was appened to /etc/passwd. The default file permissions of the installation package are too open, an unprivileged user can take advantage of an installation by a privileged user by injecting code into the installer script. nobody@vapid:/home/auditor/test$ ls -l total 273168 -rw-rw-rw- 1 root root 10328050 Aug 1 2005 Gls.rpm -rw-rw-rw- 1 32100 1360 5125418 Aug 1 2005 IIF.jar -rw-rw-rw- 1 root root 84374286 Aug 1 2005 IIFServer.rpm -rw-rw-rw- 1 root root 786557 Aug 1 2005 Message.rpm drwxrwxrwx 2 32100 1360 4096 Aug 1 2005 doc -rw-r--r-- 1 auditor auditor 140032000 Oct 1 18:21 iif.10.00.UC3R1TL.Linux.tar -rwxr-xr-x 1 32100 1360 4424 Aug 1 2005 install_rpm -rwxrwxrwx 1 32100 1360 38727685 Oct 1 18:46 installserver -rwxr-xr-x 1 32100 1360 5069 Aug 1 2005 server.ini

References:

http://www.vapidlabs.com/advisory.php?v=57


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top