Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: General :: bt658.txt

IBM U2 UniVerse uvadm can take root via bufferoverflows

Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Thanks to IBM for being so receptive with these issues.

For those of you that have requested we revive the old "Snosoft" 
advisories we have begun placing our legacy advisories at as time permits.

Content-Type: text/plain;
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;

Secure Network Operations, Inc. 
Strategic Reconnaissance Team     
Team Lead Contact                       

Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

Quick Summary:
Advisory Number         : SRT2003-07-08-1223
Product                 : IBM U2 UniVerse
Version                 : Version <= ?
Vendor                  :
Class                   : local
Criticality             : High (to UniVerse servers with local users)
Operating System(s)     : Only confirmed on Linux (other unix based?)

High Level Explanation
High Level Description  : uvadm can take root via buffer overflows
What to do              : chmod -s /usr/ibm/uv/bin/uvadmsh

Technical Details
Proof Of Concept Status : SNO does have Poc code
Low Level Description   : 

UniVerse is an extended relational database designed for embedding in 
vertical applications. Its nested relational data model results in 
intuitive data modeling and fewer resulting tables. UniVerse provides 
data access, storage and management capabilities across Microsoft®
Windows® NT, Linux and UNIplatform.

The uvadm user may exploit a buffer overflow in the uvadmsh binary to 
take root. There is a buffer overflow when processing command line
arguments. Please note that without the -uv.install argument this issue 
is NOT exploitable however the overflow still occurs. 

(gdb) r -uv.install `perl -e 'print "Z" x 546'`
Starting program: uvadmsh -uv.install `perl -e 'print "Z" x 546'`

Program received signal SIGSEGV, Segmentation fault.
0x5a5a5a5a in ?? ()
(gdb) bt
#0  0x5a5a5a5a in ?? ()
Cannot access memory at address 0x5a5a5a5a

You must have uvadm rights in order to exploit this issue. The 
creation and use of the Unix  user 'uvadm' is optional for UniVerse. 
It is not required for the successfull installation, configuration and
administration of UniVerse. The intended use of uvadm is to allow a
selected, specific non-root user to perform all aspects of UniVerse

[uvadm@vegeta tmp]$ id
uid=503(uvadm) gid=503(uvadm) groups=503(uvadm)
[uvadm@vegeta tmp]$ ./
sh-2.05b# id
uid=0(root) gid=503(uvadm) groups=503(uvadm)

Patch or Workaround     : chmod -s /usr/ibm/uv/bin/uvadmsh

Note: If you decide to 'chmod -s uvadmsh', you will need to be a root 
user to perform all of the uvadmsh functions.

Vendor Status           : The IBM U2 staff will have this issue resolved 
in a future release of IBM U2. Patches may also be supplied on a per 
client basis at IBM's disgression. 

Bugtraq URL             : to be assigned

This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact for information on how
to obtain exploit information.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH