SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Database)  >   IBM DB2 Vendors:   IBM
IBM DB2 db2licm and db2dart Buffer Overflows Let Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1007745
SecurityTracker URL:  http://securitytracker.com/id/1007745
CVE Reference:   CAN-2003-0758, CAN-2003-0759   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Sep 18 2003
Impact:   Execution of arbitrary code via local system, Root access via local system

Version(s): 7.2
Description:   Several stack overflows were reported in IBM's DB2 database server. A local user with certain privileges can obtain root privileges on the system.

Core Security Technologies reported that the db2licm and db2dart binaries contain buffer overflows. A local user with certain privileges can supply a long command line argument to the applications to execute arbitrary code on the system. Because the binaries are configured with set user id (setuid) root user privileges, the arbitrary code will execute with root privileges.

A local user with 'db2as' or 'db2inst1' user privileges can execute the binaries.

The report confirms that version 7.2 for Linux/x86 and for Linux/s390 is vulnerable. Other versions and platforms may be affected, but were not tested.

Some demonstration exploit commands are provided:

/home/db2as/sqllib/adm/db2dart `perl -e 'print "A"x1287'`

/home/db2as/sqllib/adm/db2licm `perl -e 'print "A"x999'`

The vendor was reportedly notified on August 15, 2003 and acknowledged notification on August 18, 2003.

Impact:   A local user with 'db2as' or 'db2inst1' user privileges can execute arbitrary code with root privileges.
Solution:   The vendor has issued a fix for the db2dart issue (CAN-2003-0758) in Fixpak 10 for DB2 v7.2, available at:

http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report

The vendor has issued a fix for the db2licm issue (CAN-2003-0759) in Fixpak 10a for DB2 v7.2, to be available shortly at:

http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v7fphist.d2w/report

Vendor URL:  www.ibm.com/software/data/db2/udb/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 18 Sep 2003 11:32:20 -0300
Subject:  CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities


                        Core Security Technologies Advisory
                            http://www.coresecurity.com

                  Multiple IBM DB2 Stack Overflow Vulnerabilities



Date Published: 2003-09-18

Last Update: 2003-09-18

Advisory ID: CORE-2003-0531

Bugtraq ID: 8552, 8553

CVE Name: CAN-2003-0758, CAN-2003-0759

Title: Multiple IBM DB2 Stack Overflow Vulnerabilities

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: No

Locally Exploitable: Yes

Advisory URL: 
 http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10

Vendors contacted: 
- IBM:
  . Core Notification: 2003-08-15
  . Notification acknowledged by IBM: 2003-08-18
  . Fixes available for [CAN-2003-0758]: 2003-08-31
  . Fixes available for [CAN-2003-0759]: 2003-09-17

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

 DB2 is IBM's relational database software, oriented toward the 
 deployment and development of e-business, business intelligence, 
 content management, enterprise resource planning and customer 
 relationship management solutions. DB2 can be deployed in
 AIX, HP-UX, Linux, Solaris and Windows environments.

 IBM's DB2 database ships with two vulnerable setuid binaries, namely
 db2licm and db2dart. Both binaries are vulnerable to a buffer overflow
 that allows a local attacker to execute arbitrary code on the
 vulnerable machine with privileges of the root user. The vulnerability
 is triggered providing a long command line argument to the binaries.

 By default (in the environment available during research), the
 vulnerable binaries have the following privileges (for example in the
 case of db2licm):
 
 -r-sr-x---    1 root     db2iadm1    31926 Jun 21  2002 /home/db2inst1/sqllib/adm/db2licm
 -r-sr-x---    1 root     db2asgrp    31926 Jun 21  2002 /home/db2as/sqllib/adm/db2licm

 The db2as is the only user of the db2iadm1 group, and db2inst1 is the
 only user of the db2asgrp group. So, in a default install, an attacker
 with access to the system with any those accounts, will be able to
 escalate privileges to the root account.
 

*Vulnerable Packages:*

 IBM DB2 Universal Data Base v7.2 for Linux/x86 is vulnerable.
 IBM DB2 Universal Data Base v7.2 for Linux/s390 is vulnerable.

 Other IBM DB2 versions and target platforms were not available for
 testing, but may be vulnerable as well.


*Solution/Vendor Information/Workaround:*

 [BID 8552, CAN-2003-0758]
 The db2dart issue is fixed in Fixpak 10 for DB2 v7.2.

 Fixpak 10 is available at:
 http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report


 [BID 8553, CAN-2003-0759]
 The db2licm issue is fixed in Fixpak 10a for DB2 v7.2.

 Fixpak 10a will soon be available at:
 http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v7fphist.d2w/report

 If Fixpak 10a is not already available in this webpage, you
 can download it from IBM's FTP site. For example the 32-bit Intel
 Linux version of fixpack 10a is located at:
 ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2linuxv7/FP10a_U495179

 

*Credits:*

 This vulnerability was found by Juan Pablo Martinez Kuhn from 
 Core Security Technologies. 
 We wish to thank Juan Manuel Pascual Escriba for his cooperation 
 testing and confirming the vulnerabilities. We also wish to thank
 Scott Logan from IBM for his quick response to this issue.


*Technical Description - Exploit/Concept Code:*

 The following tests are enough to confirm a binary is vulnerable.
 Executing these perl scripts should produce a segmentation fault
 in vulnerable binaries:

 [BID 8552, CAN-2003-0758]

 /home/db2as/sqllib/adm/db2dart `perl -e 'print "A"x1287'`

 Segmentation fault


 [BID 8553, CAN-2003-0759]

 /home/db2as/sqllib/adm/db2licm `perl -e 'print "A"x999'`
 ...
 User Response:  Enter the name of a file that exists and can be
 opened and try the command again.

 Segmentation fault
 ...

 Both binaries suffer from a simple stack based buffer overflow.
 Exploitation of the vulnerabilities is trivial. To confirm the
 exploitability, sample exploit code was developed for DB2 7.1 binaries
 for the Linux operating system running on x86 and s390 systems.


*About Core Security Technologies*

 Core Security Technologies develops strategic security solutions for
 Fortune 1000 corporations, government agencies and military
 organizations. The company offers information security software and
 services designed to assess risk and protect and manage information
 assets.
 Headquartered in Boston, MA, Core Security Technologies can be reached
 at 617-399-6980 or on the Web at http://www.coresecurity.com.

 To learn more about CORE IMPACT, the first comprehensive penetration
 testing framework, visit:
 http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2003 CORE Security
 Technologies and may be distributed freely provided that no fee is
 charged for this distribution and proper credit is given.

$Id: db2-advisory.txt,v 1.4 2003/09/18 11:05:35 carlos Exp $


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC