Date: 22 September 2003
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0672 -- Core Security Technologies Advisory
Multiple IBM DB2 Stack Overflow Vulnerabilities
22 September 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: DB2
Publisher: Core Security Technologies
Operating System: AIX
HP-UX
Linux
Solaris
Windows
Impact: Root Compromise
Access Required: Existing Account
CVE Names: CAN-2003-0758, CAN-2003-0759
- --------------------------BEGIN INCLUDED TEXT--------------------
Core Security Technologies Advisory
http://www.coresecurity.com
Multiple IBM DB2 Stack Overflow Vulnerabilities
Date Published: 2003-09-18
Last Update: 2003-09-18
Advisory ID: CORE-2003-0531
Bugtraq ID: 8552, 8553
CVE Name: CAN-2003-0758, CAN-2003-0759
Title: Multiple IBM DB2 Stack Overflow Vulnerabilities
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: No
Locally Exploitable: Yes
Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10
Vendors contacted:
- - IBM:
. Core Notification: 2003-08-15
. Notification acknowledged by IBM: 2003-08-18
. Fixes available for [CAN-2003-0758]: 2003-08-31
. Fixes available for [CAN-2003-0759]: 2003-09-17
Release Mode: COORDINATED RELEASE
*Vulnerability Description:*
DB2 is IBM's relational database software, oriented toward the
deployment and development of e-business, business intelligence,
content management, enterprise resource planning and customer
relationship management solutions. DB2 can be deployed in
AIX, HP-UX, Linux, Solaris and Windows environments.
IBM's DB2 database ships with two vulnerable setuid binaries, namely
db2licm and db2dart. Both binaries are vulnerable to a buffer overflow
that allows a local attacker to execute arbitrary code on the
vulnerable machine with privileges of the root user. The vulnerability
is triggered providing a long command line argument to the binaries.
By default (in the environment available during research), the
vulnerable binaries have the following privileges (for example in the
case of db2licm):
-r-sr-x--- 1 root db2iadm1 31926 Jun 21 2002 /home/db2inst1/sqllib/adm/db2licm
-r-sr-x--- 1 root db2asgrp 31926 Jun 21 2002 /home/db2as/sqllib/adm/db2licm
The db2as is the only user of the db2iadm1 group, and db2inst1 is the
only user of the db2asgrp group. So, in a default install, an attacker
with access to the system with any those accounts, will be able to
escalate privileges to the root account.
*Vulnerable Packages:*
IBM DB2 Universal Data Base v7.2 for Linux/x86 is vulnerable.
IBM DB2 Universal Data Base v7.2 for Linux/s390 is vulnerable.
Other IBM DB2 versions and target platforms were not available for
testing, but may be vulnerable as well.
*Solution/Vendor Information/Workaround:*
[BID 8552, CAN-2003-0758]
The db2dart issue is fixed in Fixpak 10 for DB2 v7.2.
Fixpak 10 is available at:
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report
[BID 8553, CAN-2003-0759]
The db2licm issue is fixed in Fixpak 10a for DB2 v7.2.
Fixpak 10a will soon be available at:
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v7fphist.d2w/report
If Fixpak 10a is not already available in this webpage, you
can download it from IBM's FTP site. For example the 32-bit Intel
Linux version of fixpack 10a is located at:
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2linuxv7/FP10a_U495179
*Credits:*
This vulnerability was found by Juan Pablo Martinez Kuhn from
Core Security Technologies.
We wish to thank Juan Manuel Pascual Escriba for his cooperation
testing and confirming the vulnerabilities. We also wish to thank
Scott Logan from IBM for his quick response to this issue.
*Technical Description - Exploit/Concept Code:*
The following tests are enough to confirm a binary is vulnerable.
Executing these perl scripts should produce a segmentation fault
in vulnerable binaries:
[BID 8552, CAN-2003-0758]
/home/db2as/sqllib/adm/db2dart `perl -e 'print "A"x1287'`
Segmentation fault
[BID 8553, CAN-2003-0759]
/home/db2as/sqllib/adm/db2licm `perl -e 'print "A"x999'`
...
User Response: Enter the name of a file that exists and can be
opened and try the command again.
Segmentation fault
...
Both binaries suffer from a simple stack based buffer overflow.
Exploitation of the vulnerabilities is trivial. To confirm the
exploitability, sample exploit code was developed for DB2 7.1 binaries
for the Linux operating system running on x86 and s390 systems.
*About Core Security Technologies*
Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
assets.
Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.
To learn more about CORE IMPACT, the first comprehensive penetration
testing framework, visit:
http://www.coresecurity.com/products/coreimpact
*DISCLAIMER:*
The contents of this advisory are copyright (c) 2003 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.
$Id: db2-advisory.txt,v 1.4 2003/09/18 11:05:35 carlos Exp $
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCUAwUBP26WIyh9+71yA2DNAQHcPQP46RLb2b01lS99WYS7swVoVrhKTByy8zq9
510DbsZPfdmCzP6wEmevuFCQE6l7zAzolfKYD8ZAIBDjByJwYdXqHjFpXSNizj3e
qVNO5XKeZ+lYzMakUob/srMvBStVLvXZ30f+Tgch4tbrw7eVKOHjawoNlJH0QxhR
f4AMt3+rcA==
=eKcz
-----END PGP SIGNATURE-----
|