Bugtraq mailing list archives
Re: L0pht Advisory - Rational Software ClearCase root exploitable
From: Oec.Kesim () ALCATEL DE (Oezguer Kesim)
Date: Tue, 9 Feb 1999 17:57:27 +0100
Holla,
things are even worse! You may want to remove the setuid flag from
/usr/atria/etc/db_loader, _but_ this won't fix the problem -- just the exploit
given by Dr. Mudge. Let me elaborate:
1. Observation:
================
If we make a
# /usr/atria/bin/cleartool mkvob -tag /tmp/foo /tmp/foo.vbs
you'll notice that
# ls -l /tmp/foo.vbs/db/db_dumper
results
-r-sr-xr-x 1 root root 1526912 Jan 21 1998 db_dumper
2. Observation:
================
While using the above command (cleartool mkvob ...) see what albd_server
actually makes:
# ps -A | grep albd
188 ? 0:08 albd_ser
Now, if you read the output of
truss -f -p 188
when the above command is used, you'll notice the following:
...
188: fork() = 14311
14311: fork() (returning as child ...) = 188
...
14311: execve("/usr/atria/etc/db_server", 0xEFFFED9C, 0xEFFFFF24) argc = 3
...
14311: stat("/usr/atria/etc/db_dumper", 0xEFFFE110) = 0
14311: access("/tmp/foo.vbs/db/db_dumper", 0) Err#2 ENOENT
14311: open("/usr/atria/etc/db_dumper", O_RDONLY) = 14
14311: open("/tmp/foo.vbs/db/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 15
14311: read(14, "7F E L F010201\0\0\0\0\0".., 65536) = 65536
14311: write(15, "7F E L F010201\0\0\0\0\0".., 65536) = 65536
...
14311: utime("/tmp/foo.vbs/db/db_dumper", 0xEFFFD400) = 0
14311: stat("/tmp/foo.vbs/db/db_dumper", 0xEFFFE438) = 0
14311: chmod("/tmp/foo.vbs/db/db_dumper", 0104555) = 0
In other words _exactly the same code as before_ !! But this time in
/usr/atria/etc/db_server and called by the daemon albd_server running under
uid root.
Therefore, you can use the exploit by l0pht after small modifiactions, _even_
if you remove the setuid flag of /usr/atria/etc/db_loader .
3. Observation:
================
# ldd /usr/atria/etc/db_server
libatriadb.so => /usr/atria/shlib/libatriadb.so
# strings /usr/atria/shlib/libatriadb.so | grep db_dumper
db_dumper
Most probably the whole code is written in here...
cheers,
oec
--
Oezguer Kesim |
Unix Support | Email: Oec.Kesim () alcatel de
Alcatel SEL Berlin |
Current thread:
- Re: remote exploit on pine 4.10 - neverending story? Anton Chuvakin (Feb 08)
- Patch for remote exploit of Pine 4.10 Terence C. Haddock (Feb 08)
- RPM for RedHat 4.2 incorporating Terence's patch available bugtraq mailing list account (Feb 08)
- L0pht Advisory - Rational Software ClearCase root exploitable Dr. Mudge (Feb 08)
- Re: L0pht Advisory - Rational Software ClearCase root exploitable Oezguer Kesim (Feb 09)
- Microsoft Security Bulletin (MS99-004) aleph1 () UNDERGROUND ORG (Feb 08)
- NetBSD Security Advisory 1999-002 matthew green (Feb 08)
- Re: remote exploit on pine 4.10 - neverending story? Sergiy Zhuk (Feb 08)
- Patch for remote exploit of Pine 4.10 Terence C. Haddock (Feb 08)
