Date: Tue, 9 Feb 1999 17:57:27 +0100
From: Oezguer Kesim <Oec.Kesim@ALCATEL.DE>
To: BUGTRAQ@netspace.org
Subject: Re: L0pht Advisory - Rational Software ClearCase root exploitable              race conditions

Holla,

things are even worse!  You may want to remove the setuid flag from
/usr/atria/etc/db_loader, _but_ this won't fix the problem -- just the exploit
given by Dr. Mudge.  Let me elaborate:

1.  Observation:
================

If we make a
        
        # /usr/atria/bin/cleartool mkvob -tag /tmp/foo /tmp/foo.vbs

you'll notice that
        
        # ls -l /tmp/foo.vbs/db/db_dumper

results
        
        -r-sr-xr-x   1 root     root      1526912 Jan 21  1998 db_dumper

2.  Observation:
================

While using the above command (cleartool mkvob ...) see what albd_server
actually makes:
        
        # ps -A | grep albd
        188 ?   0:08 albd_ser

Now, if you read the output of

        truss -f -p 188

when the above command is used, you'll notice the following:
        
        ...
        
        188:    fork()                                          = 14311
        14311:  fork()          (returning as child ...)        = 188
        ...

        14311:  execve("/usr/atria/etc/db_server", 0xEFFFED9C, 0xEFFFFF24)  argc = 3
        ...

        14311:  stat("/usr/atria/etc/db_dumper", 0xEFFFE110)    = 0
        14311:  access("/tmp/foo.vbs/db/db_dumper", 0)        Err#2 ENOENT
        14311:  open("/usr/atria/etc/db_dumper", O_RDONLY)      = 14
        14311:  open("/tmp/foo.vbs/db/db_dumper", O_WRONLY|O_CREAT|O_TRUNC, 0100555) = 15
        14311:  read(14, "7F E L F010201\0\0\0\0\0".., 65536)   = 65536
        14311:  write(15, "7F E L F010201\0\0\0\0\0".., 65536)  = 65536
        ...

        14311:  utime("/tmp/foo.vbs/db/db_dumper", 0xEFFFD400) = 0
        14311:  stat("/tmp/foo.vbs/db/db_dumper", 0xEFFFE438) = 0
        14311:  chmod("/tmp/foo.vbs/db/db_dumper", 0104555)   = 0

In other words _exactly the same code as before_ !!  But this time in
/usr/atria/etc/db_server and called by the daemon albd_server running under
uid root.

Therefore, you can use the exploit by l0pht after small modifiactions, _even_
if you remove the setuid flag of /usr/atria/etc/db_loader .

3.  Observation:
================

        # ldd /usr/atria/etc/db_server
        libatriadb.so =>         /usr/atria/shlib/libatriadb.so

        # strings /usr/atria/shlib/libatriadb.so | grep db_dumper
        db_dumper

Most probably the whole code is written in here...

cheers,
  oec

--
Oezguer Kesim       |
Unix Support        |  Email: Oec.Kesim@alcatel.de
Alcatel SEL Berlin  |