The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM Informix Pre-Authentication Stack Overflow
------------------------------------------------------------------------
SUMMARY
The IBM Informix Database service is vulnerable to a stack based buffer
overflow which can be exploited remotely before the authentication has
been completed.
DETAILS
Vulnerable Systems:
* IBM Informix IDS versiions 7.x through version 11.x
Vulnerability Details:
A vulnerability was identified in this code when a large number of
parameters, delimited by either a 0x20 or 0x0a, are sent in the initial
packet. A stack based buffer overflow occurs in the outer parsing function
as too many pointers are pushed to the stack and subsequently overwrite
the function's return address.
When the function responsible for copying the pointers to the stack
returns it continues through the parent parsing function. Control over
execution is gained when the outer function returns. The execution
conveniently continues at the location referenced by the pointer which was
used to overwrite the return address.
This pointer references the start of the memory location where the
parameter data sits and is written to the stack using the value in the ESI
register. This means that it is not necessary to discover the location of
the shellcode in memory as a pointer to its location is provided by the
function itself. The shellcode can therefore be located in a parameter
field of the initial data packet and will automatically be executed after
the pointer has overwritten the return address.
Impact:
The vulnerability would enable an attacker to execute arbitrary code on
the system with the privileges of the Informix user. By default, this
account is a member of the administrators group on a Microsoft Windows
system.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0949>
CVE-2008-0949
Vendor Response:
The vendor has released updates to resolve this issue, please refer to the
following links.
<http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only>
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only
<http://www-1.ibm.com/support/search.wss?rs=0&q=IC55224&apar=only>
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55224&apar=only
<http://www-1.ibm.com/support/search.wss?rs=0&q=IC55225&apar=only>
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55225&apar=only
ADDITIONAL INFORMATION
The information has been provided by
<mailto:Elspeth.Levi@mwrinfosecurity.com> Elspeth Levi.
The original article can be found at:
<http://www.mwrinfosecurity.com/publications/mwri_ibm-informix-pre-auth-overflow_2008-04-14.pdf>
http://www.mwrinfosecurity.com/publications/mwri_ibm-informix-pre-auth-overflow_2008-04-14.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
