[22521] in bugtraq
Re: [ Hackerslab bug_paper ] Informix-SQL application
daemon@ATHENA.MIT.EDU (Gary L. Burnore)
Tue Sep 4 17:28:37 2001
Message-Id: <5.1.0.14.2.20010904131934.00a8b840@popd.netbasix.net>
Date: Tue, 04 Sep 2001 13:21:00 -0400
To: bugtraq@securityfocus.com
From: "Gary L. Burnore" <gburnore@netbasix.net>
In-Reply-To: <200109041318.f84DIlg16535@ce.hannam.ac.kr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 09:18 09/04/2001, you wrote:
>==============================================================================
>
> [ Hackerslab bug_paper ] Informix-SQL application vulnerability
>
>==============================================================================
>
>File : Informix-SQL application
>
>SYSTEM : Systems running Informix
>
>INFO :
>
>There is a vulneribility in informix-SQL application which allows local
>users to create any file with root privilege:
>
>PART 1 :
>$ id
>uid=500 (informix) gid=120 (informix) groups=1000(loveyou)
>$ umask 0000
WHY would anyone set the umask to 0000? Also, per informix documentatrion,
the user informix should not belong to any other groups and no other users
should be in the informix group.
>$ cd ~informix/bin (Informix HOME Directory)
>$ ./onshowaudit
>INFORMIX-SQL Version 7.31.UC5
onshowaudit must be run by the AAO user unless you've misconfigured
INFORMIX. Since you've already ignored the group restrictions, no doubt
that's the case.
Tried the rest. Can't get it to set rwxrwxrwx on any /tmp file, even with
setting umask to 0000, althought that does allow files to be created
rw-rw-rw which isn't good (and why you shouldn't SET umask to 0000.
--
gburnore@netbasix.net
