Title: IBM Informix File Clobbering during Install
Author: Larry W. Cashdollar, @_larry0
Download Site: http://www14.software.ibm.com/webapp/download/preconfig.jsp?id=2013-03-26+02%3A55%3A11.385011R&S_TACT=&S_CMP=
Vendor Notified: 2006-10-01
Description: IBM Informix Dynamic Server (IDS) is a strategic data server in the IBM Information Management Software portfolio that provides blazing online transaction processing (OLTP) performance, legendary reliability, and nearly hands-free administration to businesses of all sizes. IDS 10 offers significant improvements in performance, availability, security, and manageability over previous versions, including patent-pending technology that virtually eliminates downtime and automates many of the tasks associated with deploying mission-critical enterprise systems.
During installation the installserver script creates a file in /tmp called installserver.txt an unprivileged user can symlink this file to another file causing the target file have the contents of installserver.txt appened to it.
vapid:/tmp# ls -l /tmp/installserver.txt lrwxrwxrwx 1 lwc lwc 11 Oct 1 18:27 /tmp/installserver.txt -> /etc/passwd
After installation the contents of installserver.txt was appened to /etc/passwd.
The default file permissions of the installation package are too open, an unprivileged user can take advantage of an installation by a privileged user by injecting code into the installer script.
nobody@vapid:/home/auditor/test$ ls -l total 273168
-rw-rw-rw- 1 root root 10328050 Aug 1 2005 Gls.rpm
-rw-rw-rw- 1 32100 1360 5125418 Aug 1 2005 IIF.jar
-rw-rw-rw- 1 root root 84374286 Aug 1 2005 IIFServer.rpm
-rw-rw-rw- 1 root root 786557 Aug 1 2005 Message.rpm
drwxrwxrwx 2 32100 1360 4096 Aug 1 2005 doc
-rw-r--r-- 1 auditor auditor 140032000 Oct 1 18:21 iif.10.00.UC3R1TL.Linux.tar
-rwxr-xr-x 1 32100 1360 4424 Aug 1 2005 install_rpm
-rwxrwxrwx 1 32100 1360 38727685 Oct 1 18:46 installserver
-rwxr-xr-x 1 32100 1360 5069 Aug 1 2005 server.ini