Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Multiple IBM DB2 Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Multiple IBM DB2 Vulnerabilities
Date: 9 Jan 2005 19:15:05 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple IBM DB2 Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www-306.ibm.com/software/data/db2/> IBM's DB2 database server 
contain several vulnerabilities in its that can be used to read and write 
files on the system, crash the server and run arbitrary machine code.

DETAILS

Vulnerable Systems:
 * DB2 v7.x
 * DB2 v8.1

IBM DB2 db2fmp buffer overflow:
IBM's DB2 database server suffers from a local attack whereby passing an 
overly parameter to the db2fmp binary will overflow a stack based buffer.

db2fmp is used for running fenced libraries. A fenced library is one that 
is not loaded into the main DB2 process so in the event of an error the 
server is not taken down as well. On UNIX based versions of DB2, db2fmp is 
installed setuid root. Exploiting this buffer overrun can allow a local 
attacker to gain root privileges.

Note - Some versions may drop root privileges before the overflow can be 
exploited.
Note - Whilst the overflow is present on Windows platforms it cannot be 
exploited to gain elevated privileges.

IBM DB2 libdb2.so buffer overflow
libdb2.so.1, one of the libraries supplied with IBM's DB2 database server 
suffers from a buffer overflow vulnerability.

This vulnerability can be divided into two separate issues.

Firstly, when libdb2.so is loaded it reads the DBLPORT environment 
variable and copies the value to a buffer in the .bss section. This buffer 
is overflowed. By providing an overly long DB2LPORT environment variable 
it fills the db2MLNPort_name buffer in the .bss section of libdb2.so.1 - 
then spills over into the db2node_name buffer, into the instprof_path 
buffer, into the instance_path buffer and so on all the way into the 
install_path buffer.

Secondly, when the sqloInstancePath() reads the install_path we overflow a 
local stack based buffer of sqloGetInstancePath().

This can be exploited to gain root privileges. For example, db2cacpy is 
setuid root. This program loads the library and calls sqloInstancePath() 
overflowing the buffer.

IBM DB2 call buffer overflow:
IBM's DB2 database server suffers from a stack based buffer overflow 
vulnerability when using "call".

Under DB2 it is possible to load a library directly and execute a 
function:
call libname!function
By passing an overly long libname it is possible to overflow a stack based 
buffer and overwrite the saved return address. When exploited this can 
allow an attacker to gain elevated privileges.

Note 1) if an attacker can place an arbitrary library on the system (and 
there are ways to do this via DB2 and SQL) then there is no need to 
exploit this overflow. It is sufficient simply to create the library and 
export a function that takes no parameters.

Note 2) "CREATE WRAPPERS" uses the same code as "CALL" and is presents 
another vector.

IBM DB2 JDBC Applet Server buffer overflow:
IBM's DB2 JDBC Applet Server suffers from a stack based buffer overflow 
vulnerability that can be exploited remotely without a user ID or 
password.
When a client connects to the JDBC applet server on TCP port 6789 it does 
so using a proprietary protocol. The connection packet starts with 
ValidDb2jdTokenFromTheClientSide and includes the username, the password, 
the db2java.zip version and the database to connect to.

The problem arises as follows:
First, an attacker attempts to authenticate to the JDBC applet server on 
TCP 6789 with an overly long username of c. 2200 bytes then disconnects 
gracefully.
Second, they reconnect, but this time send a short username but set the 
db2java.zip version to something other than expected by the server. Set 
the version to c. 544 Unicode bytes \x00\x41.

An error is logged and at some stage the null terminator is removed and 
the original username that was sent is concatentated to the db2java.zip 
version.
This is then copied to a stack based buffer and it overflows.

IBM DB2 SATADMIN.SATENCRYPT buffer overflow:
IBM's DB2 database server, when configured for Satellite Administration 
includes a number of SQL functions. One of these, the SATENCRYPT function 
suffers from a stack based buffer overflow vulnerability.

The SATENCRYPT function in the SATADMIN schema is vulnerable to a classic 
stack based overflow. The satencrypt function is exported by db2prom.dll 
and one of it's subfunctions creates a 40 byte buffer. User supplied data 
is copied to the buffer until a null terminator is reached in a while 
loop. By passing a parameter longer than 40 bytes allows the attacker to 
overflow the buffer and overwrite the saved return address. By exploiting 
this an attacker can gain elevated privileges.

Note - by default, public cannot execute this function.

IBM DB2 Windows Permission Problems:
Almost all shared memory sections and events in the Windows version of DB2 
have weak permissions; all sections can be read and written by Everyone, 
and all events can be set and waited on by Everyone. This results in a 
number of security issues relating to the privileges of local users.

 * Depending on the server's authentication mode, any user can read 
plaintext windows usernames and passwords from the 'DB2SHMSECURITYSERVICE' 
section. If the authentication mode is 'client', the username and password 
combinations for all client connections can be read from this section.
The data in this section persists until another connection is made. Any 
user can shut down DB2, by setting the event named 'DB2SHUTDOWNSEM'+ pid, 
for example: DB2SHUTDOWNSEM000002ec

 * Any user can DOS the "DB2 Security Server", by writing non-zero values 
to the section 'DB2SHMSECURITYSERVICE', followed by setting the security 
service 'input' event, to make the service read the input data:
DB2NTSECURITYINPUT
The service will then crash.

 * Any user can read potentially sensitive query and/or query result data 
from a number of shared memory sections. The following sections are marked 
readable by 'Everybody':
section read DB20QM
section read DB2GLBQ0QM
section read DB2SHMDB2_0APP
section read DB2SHMDB2_0APL00000003
section read DB2SHMDB2_0APL00000004
section read DB2SHMDB2_0APL00000005
..etc

 * After writing to the world-writeable section 'DB20QM':
section write DB20QM
.. the DB2 'command line processor' will not run, nor will the 'command 
center', the server has effectively been DOSsed.

IBM DB2 to_char and to_date Denial Of Service:
IBM DB2 is vulnerable to Denial of Service conditions when processing 
to_char and to_date function calls.

 * If the to_char function is called with an empty string for its second 
parameter, DB2 dereferences a null pointer and terminates:
select to_char('aaa','') from sysibm.sysdummy1
 * If the to_date function is called with an empty string for its second 
parameter, DB2 dereferences a null pointer and terminates:
select to_date('aaa', '') from sysibm.sysdummy1
In both cases, DB2 must be restarted in order to restore normal 
functionality.

IBM DB2 XML functions overflows:
The xmlvarcharfromfile suffers from a buffer overflow vulnerability. When 
and only when, 94 bytes are supplied for the second argument a pointer to 
the user supplied string is written over the saved return address so when 
ucnv_open_2_0 (in db2xmlfn.dll) returns - it does so into the string. This 
allows an attacker to run arbitrary code and elevate privileges.

The xmlclobfromfile, xmlfilefromvarchar and xmlfilefromclob functions are 
also vulnerable.

IBM DB2 XML Functions File Creation Vulnerabilities:
The XMLFileFromVarchar and XMLFileFromClob functions can be used to create 
files on the remote server. If the file exists the original is overwritten 
with the new content. The permissions of the account running DB2 is used 
and not that of the user. This vulnerability can be used to create 
executable binaries on the remote server as well. An attacker could create 
a library for example and then load it via "CALL".
The XMLVarcharFromFile and XMLClobFromFile can be used to read files from 
the remote server.

Fix Information:
IBM has published a patch and can be obtained with the latest fixpak.
 <http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html> 
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 
v8.1
 <http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html> 
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 
v7.x

The original articles can be found at:
 <http://www.ngssoftware.com/advisories/db205012005A.txt> 
http://www.ngssoftware.com/advisories/db205012005A.txt
 <http://www.ngssoftware.com/advisories/db205012005B.txt> 
http://www.ngssoftware.com/advisories/db205012005B.txt
 <http://www.ngssoftware.com/advisories/db205012005C.txt> 
http://www.ngssoftware.com/advisories/db205012005C.txt
 <http://www.ngssoftware.com/advisories/db205012005D.txt> 
http://www.ngssoftware.com/advisories/db205012005D.txt
 <http://www.ngssoftware.com/advisories/db205012005E.txt> 
http://www.ngssoftware.com/advisories/db205012005E.txt
 <http://www.ngssoftware.com/advisories/db205012005F.txt> 
http://www.ngssoftware.com/advisories/db205012005F.txt
 <http://www.ngssoftware.com/advisories/db205012005G.txt> 
http://www.ngssoftware.com/advisories/db205012005G.txt
 <http://www.ngssoftware.com/advisories/db205012005H.txt> 
http://www.ngssoftware.com/advisories/db205012005H.txt
 <http://www.ngssoftware.com/advisories/db205012005I.txt> 
http://www.ngssoftware.com/advisories/db205012005I.txt


ADDITIONAL INFORMATION

The information has been provided by  <mailto:nisr@nextgenss.com> 
NGSSoftware Insight Security Research.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Multiple IBM DB2 Vulnerabilities, SecuriTeam <=
Previous by Date:  [REVS] Hacking Bluetooth Enabled Mobile Phones and Beyond, SecuriTeam
Next by Date:  [UNIX] Simple PHP Blog Directory Traversal, SecuriTeam
Previous by Thread:  [REVS] Hacking Bluetooth Enabled Mobile Phones and Beyond, SecuriTeam
Next by Thread:  [UNIX] Simple PHP Blog Directory Traversal, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]