Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:12207
HistoryAug 17, 1999 - 12:00 a.m.

clearcase2.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
40
JSON
`Date: Tue, 9 Feb 1999 17:57:27 +0100  
From: Oezguer Kesim <[email protected]>  
To: [email protected]  
Subject: Re: L0pht Advisory - Rational Software ClearCase root exploitable race conditions  
  
Holla,  
  
things are even worse! You may want to remove the setuid flag from  
/usr/atria/etc/db_loader, _but_ this won't fix the problem -- just the exploit  
given by Dr. Mudge. Let me elaborate:  
  
1. Observation:  
================  
  
If we make a  
  
# /usr/atria/bin/cleartool mkvob -tag /tmp/foo /tmp/foo.vbs  
  
you'll notice that  
  
# ls -l /tmp/foo.vbs/db/db_dumper  
  
results  
  
-r-sr-xr-x 1 root root 1526912 Jan 21 1998 db_dumper  
  
2. Observation:  
================  
  
While using the above command (cleartool mkvob ...) see what albd_server  
actually makes:  
  
# ps -A | grep albd  
188 ? 0:08 albd_ser  
  
Now, if you read the output of  
  
truss -f -p 188  
  
when the above command is used, you'll notice the following:  
  
...  
  
188: fork() = 14311  
14311: fork() (returning as child ...) = 188  
...  
  
14311: execve("/usr/atria/etc/db_server", 0xEFFFED9C, 0xEFFFFF24) argc = 3  
...  
  
14311: stat("/usr/atria/etc/db_dumper", 0xEFFFE110) = 0  
14311: access("/tmp/foo.vbs/db/db_dumper", 0) Err#2 ENOENT  
14311: open("/usr/atria/etc/db_dumper", O_RDONLY) = 14  
14311: open("/tmp/foo.vbs/db/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 15  
14311: read(14, "7F E L F010201\0\0\0\0\0".., 65536) = 65536  
14311: write(15, "7F E L F010201\0\0\0\0\0".., 65536) = 65536  
...  
  
14311: utime("/tmp/foo.vbs/db/db_dumper", 0xEFFFD400) = 0  
14311: stat("/tmp/foo.vbs/db/db_dumper", 0xEFFFE438) = 0  
14311: chmod("/tmp/foo.vbs/db/db_dumper", 0104555) = 0  
  
In other words _exactly the same code as before_ !! But this time in  
/usr/atria/etc/db_server and called by the daemon albd_server running under  
uid root.  
  
Therefore, you can use the exploit by l0pht after small modifiactions, _even_  
if you remove the setuid flag of /usr/atria/etc/db_loader .  
  
3. Observation:  
================  
  
# ldd /usr/atria/etc/db_server  
libatriadb.so => /usr/atria/shlib/libatriadb.so  
  
# strings /usr/atria/shlib/libatriadb.so | grep db_dumper  
db_dumper  
  
Most probably the whole code is written in here...  
  
cheers,  
oec  
  
--  
Oezguer Kesim |  
Unix Support | Email: [email protected]  
Alcatel SEL Berlin |  
  
`
JSON