26th Sep 2002 [SBWID-5282]
COMMAND
IBM Informix Web DataBlade local root by design
SYSTEMS AFFECTED
Web DataBlade 4.12, IDS 9.20/9.21, Linux 2.2/2.4, SunOS 5.7
PROBLEM
Simon Lodal says :
Impact
======
Any user who can: 1) Save a Perl script anywhere on the server's disk,
2) Run WebDataBlade HTML code of his own choice (calling that Perl
script) ... can execute any code of choice as the database uid, which
is usually root. Any WDB developer can do this. Any other local user
with admin right on any database can do it by loading the WDB module
into their database. Other local users will not be able to exploit this
by default, but if just one WDB developer has lax permissions on his
scripts, other users may modify it to assign root access to themselves.
Finally, the SQL injection vulnerability (other report) allows any
remote user to save Perl script and execute it from HTML code. These
vulnerabilities can therefore be combined into a remote root exploit.
Details
=======
The Web DataBlade has an unrestricted facility for running commands of
choice as the database user. The database runs as root, unless you have
taken special precautions to start it as another user. Therefore you
get root, by design. Or at least "informix", if the administrator
managed to start the database as this user.
The Web DataBlade language has no builtin commands for dealing with
files, network etc. Instead, Informix allows calling external scripts.
Such a feature, you would think, would simply allow execution of shell
commands, like system(). But Informix decided a much more complex setup
using a long-running daemon written in Perl. You can not call shell
commands from the HTML pages, instead pages instructs the daemon to
execute a labeled piece of (Perl) code; a "meta" function. The Perl
daemon is connected through a socket connection. The daemon is started
the first time a function in it is called, and keeps running until the
database itself is shutdown.
This design may look nice. Some actions can be done with Perl code
alone, avoiding spawning a new process and thus potentially gaining
speed. Too, it limits what commands can be run; this is decided by the
person who has access to change the Perl script. And it can take some
complexity away from the HTML code.
But now the trouble. Anyone with write access to somewhere on the
server's disk can add his own Perl script. Anybody who can add WDB HTML
code request his own page and thus call the script and the functions
within it. Several different Perl daemons can run simultaneously, and
there are no restrictions on where the scripts should be placed, who
can call the actions within them, who should own them or what their
permissions should be.
All this would not be so bad, if the script were just run as
stand-alone, one-shot shell commands, running under the uid of the
calling user. But the scripts are started by the database, and keep
running as the database user (again, usually root), regardless of
caller's identity. Simply said, you can create a Perl script of choice
and have it run as root.
Unfortunately this is an utter design mistake which can not easily be
fixed, at least not without breaking existing scripts. The Webdriver
module usually logs into the database using one specific
username/password, but it can also be configured to login on behalf of
the actual user making the connection to the webserver. This would not
be a problem if external commands were executed as separate processes
running under the uid of the connecting user, but here we are dealing
with a daemon executing commands on behalf of possibly many different
uids (any uid which the webdriver can connect as). And in their
infinite wisdom Informix decided that when we dont know which uid we
will serve, they'll better just get the uid of the database server
itself, which usually happens to be root. They simply did not even
think about how to deal with the change of uids. A brief discussion I
had with a developer at Informix clearly indicated complete lack of
understanding of this problem.
As a sidenote, Informix' own example script contains an action which is
intended to allow execution of user-defined Perl code...
Proof of concept: I am not going to provide the exact syntax here since
that does not help the description any further. Anyone with access to a
machine running WDB can fetch the example script and modify it. Try fx
to write a new file, and see who gets to own it.
SOLUTION
Workaround
==========
Disable the entire Perl script feature. I believe it must be enabled
explicitly, but that may depend on how you got Web DataBlade. However,
any site needing to send mail, copy/move/create/delete external files,
or otherwise communicate with the world outside the database, will
usually need to use this feature, as it is the easiest way to do these
things (alternatives are C and Java).