Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5282.htm

IBM Informix Web DataBlade local root by design



19th Apr 2002 [SBWID-5282]
COMMAND

	IBM Informix Web DataBlade local root by design

SYSTEMS AFFECTED

	Web DataBlade 4.12, IDS 9.20/9.21, Linux 2.2/2.4, SunOS 5.7

PROBLEM

	Simon Lodal says :
	

	 Impact

	 ======

	

	Any user who can: 1) Save a Perl script anywhere on the server\'s  disk,
	2) Run WebDataBlade HTML code of  his  own  choice  (calling  that  Perl
	script) ... can execute any code of choice as the  database  uid,  which
	is usually root. Any WDB developer can do this.  Any  other  local  user
	with admin right on any database can do it by  loading  the  WDB  module
	into their database. Other local users will not be able to exploit  this
	by default, but if just one WDB developer has  lax  permissions  on  his
	scripts, other users may modify it to assign root access to  themselves.
	Finally, the SQL  injection  vulnerability  (other  report)  allows  any
	remote user to save Perl script and execute it  from  HTML  code.  These
	vulnerabilities can therefore be combined into a remote root exploit.
	

	

	 Details

	 =======

	

	The Web DataBlade has an unrestricted facility for running  commands  of
	choice as the database user. The database runs as root, unless you  have
	taken special precautions to start it as  another  user.  Therefore  you
	get root, by design. Or at  least  \"informix\",  if  the  administrator
	managed to start the database as this user.
	

	The Web DataBlade language has no  builtin  commands  for  dealing  with
	files, network etc. Instead, Informix allows calling  external  scripts.
	Such a feature, you would think, would simply allow execution  of  shell
	commands, like system(). But Informix decided a much more complex  setup
	using a long-running daemon written in Perl.  You  can  not  call  shell
	commands from the HTML pages, instead  pages  instructs  the  daemon  to
	execute a labeled piece of (Perl) code; a \"meta\"  function.  The  Perl
	daemon is connected through a socket connection. The daemon  is  started
	the first time a function in it is called, and keeps running  until  the
	database itself is shutdown.
	

	This design may look nice. Some actions  can  be  done  with  Perl  code
	alone, avoiding spawning a new  process  and  thus  potentially  gaining
	speed. Too, it limits what commands can be run; this is decided  by  the
	person who has access to change the Perl script. And it  can  take  some
	complexity away from the HTML code.
	

	But now the trouble. Anyone  with  write  access  to  somewhere  on  the
	server\'s disk can add his own Perl script.  Anybody  who  can  add  WDB
	HTML code request his  own  page  and  thus  call  the  script  and  the
	functions  within  it.  Several   different   Perl   daemons   can   run
	simultaneously, and there are  no  restrictions  on  where  the  scripts
	should be placed, who can call the actions within them, who  should  own
	them or what their permissions should be.
	

	All this  would  not  be  so  bad,  if  the  script  were  just  run  as
	stand-alone, one-shot shell commands,  running  under  the  uid  of  the
	calling user. But the scripts are started  by  the  database,  and  keep
	running as the  database  user  (again,  usually  root),  regardless  of
	caller\'s identity. Simply said, you can create a Perl script of  choice
	and have it run as root.
	

	Unfortunately this is an utter design mistake which can  not  easily  be
	fixed, at least not without breaking  existing  scripts.  The  Webdriver
	module   usually   logs   into   the   database   using   one   specific
	username/password, but it can also be configured to login on  behalf  of
	the actual user making the connection to the webserver. This  would  not
	be a problem if external commands were executed  as  separate  processes
	running under the uid of the connecting user, but here  we  are  dealing
	with a daemon executing commands on behalf of  possibly  many  different
	uids (any uid  which  the  webdriver  can  connect  as).  And  in  their
	infinite wisdom Informix decided that when we dont  know  which  uid  we
	will serve, they\'ll better just get the  uid  of  the  database  server
	itself, which usually happens to be  root.  They  simply  did  not  even
	think about how to deal with the change of uids. A  brief  discussion  I
	had with a developer at Informix  clearly  indicated  complete  lack  of
	understanding of this problem.
	

	As a sidenote, Informix\' own example script contains  an  action  which
	is intended to allow execution of user-defined Perl code...
	

	Proof of concept: I am not going to provide the exact syntax here  since
	that does not help the description any further. Anyone with access to  a
	machine running WDB can fetch the example script and modify it.  Try  fx
	to write a new file, and see who gets to own it.
	

	

SOLUTION

	 Workaround

	 ==========

	

	Disable the entire Perl script feature. I believe  it  must  be  enabled
	explicitly, but that may depend on how you got Web  DataBlade.  However,
	any site needing to send mail, copy/move/create/delete  external  files,
	or otherwise communicate with  the  world  outside  the  database,  will
	usually need to use this feature, as it is the easiest way to  do  these
	things (alternatives are C and Java).
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH