======IBM Informix File Clobbering during Install======
//10/1/2006//
====Overview====
===From the Website===
"IBM Informix® Dynamic Server (IDS) is a strategic data server in the IBM Information Management Software portfolio that provides blazing online transaction processing (OLTP) performance, legendary reliability, and nearly hands-free administration to businesses of all sizes. IDS 10 offers significant improvements in performance, availability, security, and manageability over previous versions, including patent-pending technology that virtually eliminates downtime and automates many of the tasks associated with deploying mission-critical enterprise systems."
===Vulnerability===
During installation the //installserver// script creates a file in /tmp called //installserver.txt//
an unprivileged user can symlink this file to another file causing the target file have the contents of
installserver.txt appened to it.
vapid:/tmp# ls -l /tmp/installserver.txt lrwxrwxrwx 1 lwc lwc 11 Oct 1 18:27 /tmp/installserver.txt -> /etc/passwd
After installation the contents of installserver.txt was appened to /etc/passwd.
===File Permissions===
The default file permissions of the installation package are too open, an unprivileged user can take advantage of an installation by a privileged user by injecting code into the installer script.
nobody@vapid:/home/auditor/test$ ls -l
total 273168
-rw-rw-rw- 1 root root 10328050 Aug 1 2005 Gls.rpm
-rw-rw-rw- 1 32100 1360 5125418 Aug 1 2005 IIF.jar
-rw-rw-rw- 1 root root 84374286 Aug 1 2005 IIFServer.rpm
-rw-rw-rw- 1 root root 786557 Aug 1 2005 Message.rpm
drwxrwxrwx 2 32100 1360 4096 Aug 1 2005 doc
-rw-r--r-- 1 auditor auditor 140032000 Oct 1 18:21 iif.10.00.UC3R1TL.Linux.tar
-rwxr-xr-x 1 32100 1360 4424 Aug 1 2005 install_rpm
-rwxrwxrwx 1 32100 1360 38727685 Oct 1 18:46 installserver
-rwxr-xr-x 1 32100 1360 5069 Aug 1 2005 server.ini
===Resolution===
The installer scripts should have more restrictive default permissions, also the installserver.txt file should be moved inside of the ismp001 directory that is created during installation.
===Credit===
Larry W. Cashdollar
[[http://vapid.dhs.org]]