The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM DB2 Universal Database Administration Server File Creation
Vulnerability
------------------------------------------------------------------------
SUMMARY
IBM Corp.'s <http://ibm.com/db2/> DB2 Universal Database product is "a
large database server product commonly used for high-end databases. The
DB2 Administration Server (DAS) implements the server component to which
the Java-based DB2 Control Center GUI connects". Local exploitation of a
file creation vulnerability in the Administration Server of IBM Corp.'s
DB2 Universal Database allows attackers to elevate privileges to root.
DETAILS
Vulnerable Systems:
* IBM Corp.'s DB2 Universal Database 9.1 release with Fix Pack 3
installed on Linux
Immune Systems:
* IBM Corp.'s DB2 Universal Database 9.1 release with Fix Pack 4a
* IBM Corp.'s DB2 Universal Database 8 release with Fix Pack 16
* IBM Corp.'s DB2 Universal Database 9.5 release with Fix Pack 1
This vulnerability exists due to unsafe file access from within the
db2dasrrm program. When a user starts the DAS, the "db2dasrrm" process is
started with root privileges. As part of the initialization, the
"dasRecoveryIndex", "dasRecoveryIndex.tmp", ".dasRecoveryIndex.lock", and
"dasRecoveryIndex.cor" files are created with root privileges. By removing
and re-creating these files as symbolic links, an attacker can create
arbitrary files as root.
Analysis:
Exploitation allows local attackers to gain root privileges. In order to
exploit this vulnerability, an attacker must have access to an account
that is allowed to start and stop the DB2 Administration Server. For
example, the "dasusr1" account or an account with access to the "db2adm1"
group.
It should be noted that an attacker does not appear to have any control
over the contents of the data written. However, this does not
significantly impact exploitation since the file is created using the
user's umask and group.
Vendor response:
IBM Corp. has addressed this vulnerability with the release of V9.1 Fix
Pack 4a, V8 FixPak 16, and V9.5 Fix Pack 1 of its Universal Database
product. More information can be found at the following URLs.
V8: <http://www-1.ibm.com/support/docview.wss?uid=swg21256235>
http://www-1.ibm.com/support/docview.wss?uid=swg21256235
V9.1: <http://www-1.ibm.com/support/docview.wss?uid=swg21255572>
http://www-1.ibm.com/support/docview.wss?uid=swg21255572
V9.5: <http://www-1.ibm.com/support/docview.wss?uid=swg21287889>
http://www-1.ibm.com/support/docview.wss?uid=swg21287889
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5664>
CVE-2007-5664
Disclosure Timeline:
10/03/2007 - Initial vendor notification
10/16/2007 - Initial vendor response
04/09/2008 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=688>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=688
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
