|
IBM Informix Database Multiple Local Vulnerabilities
|
|
Secunia Advisory:
|
SA10737
|
|
|
Release Date:
|
2004-01-28
|
|
Popularity:
|
7,427 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Privilege escalation
|
|
Where:
|
Local system
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | IBM Informix Dynamic Server 9.x
IBM Informix Extended Parallel Server 8.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
IBM has issued updates for Informix. These fix multiple vulnerabilities allowing malicious users to escalate their privileges.
1) Multiple executable files with setuid attributes contain boundary errors in the handling of the "GL_PATH" environment variable. This can be exploited by malicious local users to cause a buffer overflow and execute arbitrary code with escalated privileges.
2) Certain executable files open and parse files when executed. The parsing of certain files is flawed and contain a format string vulnerability which can be exploited by editing these files. Normally these files aren't accessible, however, users can change the "INFORMIXDIR" environment variable so the files are read from a different location.
3) The program "onshowaudit" try to read files from "/tmp" with root privileges. This can be exploited by malicious local users to see the content of arbitrary files by linking from the files in "/tmp" to files with sensitive data, such as "/etc/shadow".
4) The "ontape" binary contains a boundary error which allows malicious local users to cause a buffer overflow by setting a long "ONCONFIG" environment variable. This can be exploited to gain root privileges.
5) The "onedcu" executable doesn't drop privileges before writing to the log file "\001". This can be exploited to overwrite arbitrary files by creating links.
According to vendor this affects:
IBM Informix Dynamic Server (IDS) 9.40.xC1
IBM Informix Extended Parallel Server (XPS) version 8.40.UCx
Solution:
Contact Customer Services for an upgrade to IBM Informix Dynamic Server 9.40.UC3 or IBM Informix Extended Parallel Server 8.40.UD1.
IBM has suggested workarounds for these issue, see original advisory:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
Provided and/or discovered by:
Issue 1 and 2 was reported by KF
Issue 3, 4 and 5 was reported by Juan Manuel Pascual Escriba
Original Advisory:
http://www-1.ibm.com/support/docview.wss?uid=swg21153336
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
