January 2005
Two NGSSoftware Security Advisories: 1. Two vulnerabilities in IBM DB2 2. Multiple vulnerabilities in IBM DB2
ID: 00035
Ref: 31/2005
Date: 17 January 2005:15:00:57
Version: 1
Title: Two NGSSoftware Security Advisories: 1. Two vulnerabilities in IBM DB2 2. Multiple vulnerabilities in IBM DB2
Abstract:
Vendors affected: NGSSoftware
Operating systems affected: NGSSoftware
Applications affected: NGSSoftware
Title
=====
Two NGSSoftware Security Advisories:
1. Two vulnerabilities in IBM DB2
2. Multiple vulnerabilities in IBM DB2
Detail
======
1. IBM's DB2 database server contains a procedure, generate_distfile.
This procedure suffers from a stack based buffer overflow vulnerability. IBM's DB2 database server contains a function, rec2xml, used to format a
string in XML. This function suffers from a stack based buffer overflow
vulnerability.
2. Researchers at NGSSoftware have discovered multiple critical/high risk
vulnerabilities in IBM's DB2 Universal Database. Versions affected include
DB2 8.1 Fixpak 7 and earlier
IBM has updated Fixpak 6 and 7 to 6a and 7a to include fixes for these flaws.
In all, 20 vulnerabilities, mostly remotely exploitable buffer overflows, have
been addressed by the updates.
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0035 -- NGSSoftware Insight Security Research Advisories
Two vulnerabilities in IBM DB2
13 January 2005
===========================================================================
Product: IBM DB2 8.1 Fixpak 6 and earlier
IBM DB2 7.x Fixpak 11 and earlier
Publisher: NGSSoftware
Operating System: UNIX variants
Linux variants
Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Original Bulletin: http://www.nextgenss.com/advisory.htm
- - --------------------------BEGIN INCLUDED TEXT--------------------
Researchers at NGSSoftware have discovered multiple critical/high risk
vulnerabilities in IBM's DB2 Universal Database. Versions affected include
DB2 8.1 Fixpak 6 and earlier
DB2 7.x Fixpak 11 and earlier
Two of the issues, remotely exploitable buffer overflows, have been fixed in
Fixpak 7 for DB2 8.1 and Fixpak 12 for DB2 7.x. These Fixpaks were released
last week and they can be downloaded from
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1 http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x
The flaws fixed in these Fixpaks equate to NGSS BUGID 98 and 101 from the
Vendor Notification Alerts - http://www.nextgenss.com/vna.htm
- - -------------------------------------------------------------------------------
Name: IBM DB2 generate_distfile buffer overflow
Systems Affected: DB2 8.1/7.x
Severity: High risk
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004L
Advisory URL: http://www.ngssoftware.com/advisories/db223122004L.txt
Description
***********
IBM's DB2 database server contains a procedure, generate_distfile. This
procedure suffers from a stack based buffer overflow vulnerability.
Details
*******
The generate_distfile procedure is vulnerable to a buffer overflow
vulnerability. generate_distfile is implemented as a C function, exported
by db2dbappext.dll. It takes as its third parameter the name of a file.
This parameter can be up to 255 characters long.
One of the sub functions of generate_distfile takes the third parameter,
the user supplied filename, and appends it to the directory where DB2 has
been installed. It does this by creating a 264 byte buffer on the stack.
The subfunction then calls sqloInstancePath() to get the install path for
DB2. This returns C:\PROGRA~1\IBM\SQLLIB\DB2. \tmp\ is then appended to
this. After \tmp\ is appended the user supplied filename is appended
using a while loop that continues to copy data until a NULL terminator
is found. Because the DB2 install path (C:\PROGRA~1\IBM\SQLLIB\DB2\tmp\)
takes up some of the buffer, if the user has supplied a thrid parameter
of 255 bytes the stack based buffer is overflowed.
However, once the buffer is overflowed, as well as overwriting the saved
return address, a pointer is also overwritten. This pointer points to a
buffer where the resulting full path should be copied to. This interupts
a straight return address overwrite exploit; however it can still easily
be exploited in several ways. Due to the fact that the attacker "owns"
the pointer to where the path is copied to, they can write arbitrary data
to an arbitrary location allowing a full compromise. Once such method
would be to overwrite the pointer to the Windows UnhandledExceptionFilter
function; as access violations aren't handled, the UEF kicks in an as the
attacker controls the UEF the flow of execution can be redirected by the
attacker to arbitrary code.
Note - whilst the discussion has used Windows paths *nix versions of DB2
are also vulnerable.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
NGSSQuirreL for DB2 (http://www.nextgenss.com/db2.htm) can be used to
assess whether your DB2 server is vulnerable to this.
- - -------------------------------------------------------------------------------
Name: IBM DB2 rec2xml buffer overflow
Systems Affected: DB2 8.1/7.x
Severity: High risk
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ mark at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004J
Advisory URL: http://www.ngssoftware.com/advisories/db223122004K.txt
Description
***********
IBM's DB2 database server contains a function, rec2xml, used to format a
string in XML. This function suffers from a stack based buffer overflow
vulnerability.
Details
*******
By passing an overly long 3rd parameter to the rec2xml function a stack
based buffer can be overflowed, overwriting the saved return address on
the stack. This allows an attacker to control the flow of execution and
the opportunity to execute arbitrary code.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
NGSSQuirreL for DB2 (http://www.nextgenss.com/db2.htm) can be used to assess
whether your DB2 server is vulnerable to this.
- - -------------------------------------------------------------------------------
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQecJTyh9+71yA2DNAQK/eAP+NjA7kbU/Ww+ubvKyfJua59qfXoeiTtCu
RBoJvQIDFs+Z8r+iHbLo6aU1HQA9xBzkD+0Ulz46Zov5fFE9zaFnMgohgKCGOV/k
eceLDm+0cNHz30LZdvoErZXVhbKcC71QO31EewEWWwk4cqZbiHqWBzpI1UXErP8j
wRuglaFJcxo=
=vrEC
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0036 -- NGSSoftware Insight Security Research Advisories
Multiple vulnerabilities in IBM DB2
13 January 2005
===========================================================================
Product: IBM DB2 8.1 Fixpak 7 and earlier
IBM DB2 7.x
Publisher: NGSSoftware
Operating System: UNIX variants
Linux variants
Windows
Impact: Root Compromise
Execute Arbitrary Code/Commands
Increased Privileges
Denial of Service
Access: Remote/Unauthenticated
Ref: ESB-2005.0035
Original Bulletin: http://www.nextgenss.com/advisory.htm
- - --------------------------BEGIN INCLUDED TEXT--------------------
Researchers at NGSSoftware have discovered multiple critical/high risk vulnerabilities
in IBM's DB2 Universal Database. Versions affected include
DB2 8.1 Fixpak 7 and earlier
IBM has updated Fixpak 6 and 7 to 6a and 7a to include fixes for these flaws.
In all, 20 vulnerabilities, mostly remotely exploitable buffer overflows, have
been addressed by the updates. The updated Fixpaks have just been released and
can be downloaded from
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html
The flaws fixed in these Fixpaks equate to NGSS BUGID 102, 103, 104, 105, 106,
107, 108, 109, 110, 111, 112, 113, 114, 115, 117, 118, 119, 120, 121 and 122
from the Vendor Notification Alerts - http://www.nextgenss.com/vna.htm.
- - -------------------------------------------------------------------------------
NGSSoftware Insight Security Research Advisory
Name: IBM DB2 db2fmp buffer overflow
Systems Affected: DB2 8.1/7.x
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005A
Advisory URL: http://www.ngssoftware.com/advisories/db205012005A.txt
Description
***********
IBM's DB2 database server suffers from a local attack whereby passing an overly
parameter to the db2fmp binary will overflow a stack based buffer.
Details
*******
db2fmp is used for running fenced libraries. A fenced library is one that is not
loaded into the main DB2 process so in the event of an error the server is not
taken down as well. On unix based versions of DB2, db2fmp is installed setuid root.
Exploiting this buffer overrun can allow a local attacker to gain root privileges.
Note - Some versions may drop root privileges before the overflow can be exploited.
Note - Whilst the overflow is present on Windows platforms it cannot be exploited
to gain elevated privileges.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
NGSSQuirreL for DB2 (http://www.nextgenss.com/db2.htm) can be used to assess
whether your DB2 server is vulnerable to this.
- - -------------------------------------------------------------------------------
Name: IBM DB2 libdb2.so.1 buffer overflow
Systems Affected: DB2 8.1/7.x
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005B
Advisory URL: http://www.ngssoftware.com/advisories/db205012005B.txt
Description
***********
libdb2.so.1, one of the libraries supplied with IBM's DB2 database server suffers
from a buffer overflow vulnerability.
Details
*******
This vulnerability can be divided into two separate issues. Firstly, when libdb2.so
is loaded it reads the DBLPORT environment variable and copies the value to a buffer
in the .bss section. This buffer is overflowed. By providing an overly long DB2LPORT
environment variable it fills the db2MLNPort_name buffer in the .bss section of
libdb2.so.1 - then spills over into the db2node_name buffer, into the instprof_path
buffer, into the instance_path buffer and so on all the way into the install_path buffer.
Secondly, when the sqloInstancePath() reads the install_path we overflow a local stack
based buffer of sqloGetInstancePath().
This can be exploited to gain root privileges. For example, db2cacpy is setuid root.
This program loads the library and calls sqloInstancePath() overflowing the buffer.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
Name: IBM DB2 call buffer overflow
Systems Affected: DB2 8.1/7.x
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005C
Advisory URL: http://www.ngssoftware.com/advisories/db205012005C.txt
Description
***********
IBM's DB2 database server suffers from a stack based buffer overflow vulnerability
when using "call".
Details
*******
Under DB2 it is possible to load a library directly and execute a function:
call libname!function
By passing an overly long libname it is possible to overflow a stack based buffer
and overwrite the saved return address. When exploited this can allow an attacker
to gain elevated privileges.
Note 1) if an attacker can place an arbitrary library on the system (and there
are ways to do this via DB2 and SQL) then there is no need to exploit this
overflow. It is sufficient simply to create the library and export a function
that takes no parameters.
Note 2) "CREATE WRAPPERS" uses the same code as "CALL" and is presents another vector.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
Name: IBM DB2 JDBC Applet Server buffer overflow
Systems Affected: DB2 8.1
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005D
Advisory URL: http://www.ngssoftware.com/advisories/db205012005D.txt
Description
***********
IBM's DB2 JDBC Applet Server suffers from a stack based buffer overflow
vulnerability that can be exploited remotely without a user ID or password.
Details
*******
When a client connects to the JDBC applet server on TCP port 6789 it does
so using a proprietary protocol. The connection packet starts with
ValidDb2jdTokenFromTheClientSide and includes the username, the password,
the db2java.zip version and the database to connect to.
The problem arises as follows.
Firstly, an attacker attempts to authenticate to the JDBC applet server on
TCP 6789 with an overly long username of c. 2200 bytes then disconnects
gracefully.
Secondly, they reconnect, but this time send a short username but set the
db2java.zip version to something other than expected by the server. Set the
version to c. 544 unicode bytes \x00\x41.
An error is logged and at some stage the null terminator is removed and the
original username that was sent is concatentated to the db2java.zip version.
This is then copied to a stack based buffer and it overflows.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1 http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
Name: IBM DB2 SATADMIN.SATENCRYPT buffer overflow
Systems Affected: DB2 8.1
Severity: Medium risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005E
Advisory URL: http://www.ngssoftware.com/advisories/db205012005E.txt
Description
***********
IBM's DB2 database server, when configured for Satellite Administration
includes a number of SQL functions. One of these, the SATENCRYPT function
suffers from a stack based buffer overflow vulnerability.
Details
*******
The SATENCRYPT function in the SATADMIN schema is vulnerable to a classic
stack based overflow. The satencrypt function is exported by db2prom.dll
and one of it's subfunctions creates a 40 byte buffer. User supplied data
is copied to the buffer until a null terminator is reached in a while loop.
By passing a parameter longer than 40 bytes allows the attacker to overflow
the buffer and overwrite the saved return address. By exploiting this an
attacker can gain elevated privileges.
Note - by default, public cannot execute this function.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
Name: IBM DB2 Windows Permission Problems
Systems Affected: DB2 8.1
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: Chris Anley [ chris at ngssoftware.com ]
Relates to: http://www.ngssoftware.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005F
Advisory URL: http://www.ngssoftware.com/advisories/db205012005F.txt
Description
***********
Almost all shared memory sections and events in the Windows version of DB2
have weak permissions; all sections can be read and written by Everyone, and
all events can be set and waited on by Everyone. This results in a number of
security issues relating to the privileges of local users.
Details
*******
The numbers below are NGS BUGID reference numbers mentioned in
http://www.ngssoftware.com/advisories/db2-02.txt
107) Depending on the server's authentication mode, any user can read plaintext
windows usernames and passwords from the 'DB2SHMSECURITYSERVICE' section.
If the authentication mode is 'client', the username and password combinations
for all client connections can be read from this section.
The data in this section persists until another connection is made.
108) Any user can shut down DB2, by setting the event named 'DB2SHUTDOWNSEM'+ pid,
for example
DB2SHUTDOWNSEM000002ec
109) Any user can DOS the "DB2 Security Server", by writing non-zero values
to the section 'DB2SHMSECURITYSERVICE', followed by setting the security service
'input' event, to make the service read the input data:
DB2NTSECURITYINPUT
The service will then crash.
110) Any user can read potentially sensitive query and/or query result data
from a number of shared memory sections. The following sections are marked
readable by 'Everybody'
section read DB20QM
section read DB2GLBQ0QM
section read DB2SHMDB2_0APP
section read DB2SHMDB2_0APL00000003
section read DB2SHMDB2_0APL00000004
section read DB2SHMDB2_0APL00000005
...etc
111) After writing to the world-writeable section 'DB20QM':
section write DB20QM
... the DB2 'command line processor' will not run, nor will the 'command center',
the server has effectively been DOSsed.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
Name: IBM DB2 to_char and to_date Denial Of Service
Systems Affected: DB2 8.1
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: Chris Anley [ chris at ngssoftware.com ]
Relates to: http://www.ngssoftware.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005G
Advisory URL: http://www.ngssoftware.com/advisories/db205012005G.txt
Description
***********
IBM DB2 is vulnerable to Denial of Service conditions when processing
certain function calls.
Details
*******
The numbers below are NGS BUGID reference numbers mentioned in
http://www.ngssoftware.com/advisories/db2-02.txt
112) If the to_char function is called with an empty string for its second parameter,
DB2 dereferences a null pointer and terminates:
select to_char('aaa','') from sysibm.sysdummy1
113) If the to_date function is called with an empty string for its second parameter,
DB2 dereferences a null pointer and terminates:
select to_date('aaa', '') from sysibm.sysdummy1
In both cases, DB2 must be restarted in order to restore normal functionality.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
Name: IBM DB2 XML functions overflows
Systems Affected: DB2 8.1
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005H
Advisory URL: http://www.ngssoftware.com/advisories/db205012005H.txt
Description
***********
IBM's DB2 database server contain four XML functions that suffer from stack based
buffer overflow vulnerabilities.
Details
*******
The xmlvarcharfromfile suffers from a buffer overflow vulnerability. When and only
when, 94 bytes are supplied for the second argument a pointer to the user supplied
string is written over the saved return address so when ucnv_open_2_0 (in db2xmlfn.dll)
returns - it does so into the string. This allows an attacker to run arbitrary
code and elevate privileges.
The xmlclobfromfile, xmlfilefromvarchar and xmlfilefromclob functions are also vulnerable.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
Name: IBM DB2 XML functions file creation vulnerabilities Systems Affected: DB2 8.1
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005I
Advisory URL: http://www.ngssoftware.com/advisories/db205012005I.txt
Description
***********
IBM's DB2 database server contain four XML functions that can be used to
read and write files on the system.
Details
*******
The XMLFileFromVarchar and XMLFileFromClob functions can be used to create
files on the remote server. If the file exists the original is overwritten
with the new content. The permissions of the account running DB2 is used
and not that of the user. This vulnerability can be used to create executable
binaries on the remote server as well. An attacker could create a library
for example and then load it via "CALL".
The XMLVarcharFromFile and XMLClobFromFile can be used to read files from
the remote server.
Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2 v7.x
- - -------------------------------------------------------------------------------
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQecUPSh9+71yA2DNAQJG3wQAksi/DOI2VYkCOnVtRw8wGJ0K2NBl/lwP
uy0oiUpgY/+2X/+ZGdUDYcDaAuVsjUCNfxGa9vYeyEoX2NJFMoVDWARc5p7RIaew
Rp+OKXadhUfoT+cIjiBEAHScAXjZ0yzgbcJfFrbgj2IatHdjIyaWLumg9PZshNpU
4zJcgHUxiaM=
=Ntz+
- -----END PGP SIGNATURE-----