IBM DB2 Database Buffer Overflow in 'db2ckpw' Lets Local Users Gain Root Access on the System
SecurityTracker Alert ID: 1004352|
SecurityTracker URL: http://securitytracker.com/id/1004352
(Links to External Site)
Updated: Aug 20 2004|
Original Entry Date: May 22 2002
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6, 7|
A buffer overflow vulnerability was reported in IBM's DB2 database. A local user can gain root access on the system.|
IBM reported that there is a buffer overflow in the 'sqllib/security/db2ckpw' file that is used to verify usernames and passwords. A local user can supply a username that is longer than 8 characters to trigger the overflow and possibly cause arbitrary code to be executed. Because 'db2ckpw' is configured with set user id (suid) root privileges, the code will run with root level privileges.
A local user can execute arbitrary code on the system with root privileges to gain root level access on the operating system.|
The vendor has released FixPaks:|
For DB2, version 6, download and apply DB2 v6.1, FixPak 10 (use FixPak 10 version released after 6 March 2002).
For DB2, version 7, download and apply DB2, v7.2, FixPak 6.
These FixPaks can be downloaded from:
Vendor URL: www.ibm.com/software/data/db2/udb/ (Links to External Site)
|Underlying OS: UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS)|
Source Message Contents
Subject: IBM OAR [Other Advisories]: Buffer overflow vulnerability inDB2 for|
Subject: IBM OAR [Other Advisories]: Buffer overflow vulnerability in
for AIX, Linux, Solaris, and HP-UX
IBM Global Services
Managed Security Services
Outside Advisory Redistribution
10 MAY 2002 14:46 GMT
The MSS Outside Advisory Redistribution is designed to provide customers
IBM Managed Security Services with access to the security advisories
out by other computer security incident response teams, vendors, and
groups concerned about security.
IBM makes no representations and assumes no responsibility for the
or accuracy of the advisories themselves.
IBM MSS is forwarding the following information from IBM. Contact
information for IBM is included in the forwarded text below. Please
them if you have any questions or need further information.
----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
- -----BEGIN PGP SIGNED MESSAGE-----
IBM SECURITY ADVISORY
Wed May 08 13:29:22 CDT 2002
VULNERABILITY: Buffer overflow vulnerability in DB2 for AIX, Linux,
Solaris, and HP-UX
PLATFORMS: DB2, versions 6 and 7, running on AIX, all versions
SOLUTION: Apply the FixPaks, listed in this Advisory
THREAT: Malicious user can gain root privileges
CERT Advisory: NONE
A security vulnerability was discovered in versions 6 and 7 of DB2 that
on IBM AIX, Linux implementations, SUN Solaris, and HP's HP-UX.
Specifically, this is a buffer overflow condition in
"db2ckpw" is an executable that runs as SUID (setuserid) root; DB2 uses
returns of this executable to verify usernames and passwords.
It takes a file descriptor as its argument and then reads username and
password information from that file descriptor. The buffer overflow
while processing the username. The db2 client is trusted to make sure
the username is 8 characters or less. By bypassing the db2 client
and sending info directly to db2ckpw, one can overflow the username
and execute arbitrary code as root.
Unauthorized privilege escalation (possibly to root) and execution of
There is no workaround.
Customers are urged to immediately obtain the appropriate FixPak listed
below and apply it to their systems.
If you are running DB2, version 6, you need to download and apply DB2
FixPak 10 (use FixPak 10 version released after 6 March 2002).
If running DB2, version 7, download and apply DB2, v7.2, FixPak 6.
These FixPaks can be downloaded from:
IV. Contact Information
Comments regarding the content of this announcement can be directed to:
To request the PGP public key that can be used to encrypt new AIX
vulnerabilities, send email to:
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
to firstname.lastname@example.org with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security". To
a list of other available subscriptions, use a subject of "help".
IBM and AIX are a registered trademark of International Business
Corporation. All other trademarks are property of their respective
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.
IBM's Managed Security Services (MSS) is a subscription-based Internet
security response service that includes computer security incident
and management, regular electronic verification of your Internet
and security vulnerability alerts similar to this one that are tailored
your specific computing environment. By acting as an extension of your
internal security staff, IBM MSS's team of Internet security experts
you quickly detect and respond to attacks and exposures across your
As a part of IBM's Business Continuity and Recovery Service IBM's
Security Services is a component of IBM Global Services Privacy and
Services suite of offerings. To find out more about IBM Managed
Services, send an electronic mail message to email@example.com, or
IBM MSS maintains a site on the World Wide Web at
Visit the site for information about the service, copies of security
team contact information, and other items.
IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature
for security vulnerability alerts and other distributed information.
IBM MSS PGP* public key is available from
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation
response coordination among computer security teams worldwide.
The information in this document is provided as a service to customers
IBM Managed Security Services. Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or
implied, or assumes any legal liability or responsibility for the
completeness, or usefulness of any information, apparatus, product, or
process contained herein, or represents that its use would not infringe
privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by IBM or its subsidiaries. The views and
opinions of authors expressed herein do not necessarily state or reflect
those of IBM or its subsidiaries, and may not be used for advertising or
product endorsement purposes.
Go to the Top of This SecurityTracker Archive Page