[UNIX] IBM DB2 Universal Database Multiple Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



IBM DB2 Universal Database Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

IBM Corp.'s <http://ibm.com/db2/> DB2 Universal Database product is "a
large database server product commonly used for high end databases".
Multiple vulnerabilities have been found in IBM's DB2 Universal database
product.

DETAILS

Vulnerable Systems:
* IBM Corp.'s DB2 Universal Database version 9.1 Fix Pack 2 and prior

IBM DB2 Universal Database buildDasPaths Buffer Overflow Vulnerability
Local exploitation of a buffer overflow vulnerability in IBM Corp.'s DB2
Universal Database could allow attackers to elevate privileges to the
superuser.

This vulnerability specifically exists due to insufficient validation of
the length of attacker supplied data. When an attacker specifies a
specially crafted string via certain environment variables, the string is
copied into a static sized buffer stored on the stack. By supplying too
much data, an attacker can overflow the buffer and overwrite stack-stored
execution control structures resulting in arbitrary code execution.

Analysis:
Exploitation allows local attackers to gain root privileges.

Non-executable memory technology such as PaX, DEP, exec-shield, or other
NX or XD technology, can help prevent against exploitation of this type
vulnerability.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4276>
CVE-2007-4276

IBM DB2 Universal Database Multiple Untrusted Search Path Vulnerabilities
Local exploitation of multiple untrusted search path vulnerabilities in
IBM Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.

These vulnerabilities exist due to the execution of binaries or loading of
libraries within untrusted paths. In each case, the path to a binary or
library is generated based on an environment variable that is under
attacker control. Additionally, the files to be executed or loaded are
located in a directory under attacker control.

Analysis:
Exploitation allows local attackers to gain root privileges.

In cases where programs are executed, an attacker need only create a
specially crafted environment and file structure. In cases where a library
is loaded, creating a library containing a specially crafted
initialization section is sufficient.

In order to exploit some of these vulnerabilities, the attacker must be a
member of the "db2grp1" or a group corresponding with an installed DB2
instance.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4275>
CVE-2007-4275

IBM DB2 Universal Database Directory Creation Vulnerability
Local exploitation of a directory creation vulnerability in IBM Corp.'s
DB2 Universal Database could allow attackers to elevate privileges to the
superuser.

This vulnerability exists due to insecure directory creation within
setuid-binaries included with DB2. While creating specific directory
structures, attacker created symbolic links will be followed. This allows
world-writable directories to be created anywhere on the file system.

Analysis:
Exploitation allows local attackers to gain root privileges.

In order to execute arbitrary code, an attacker could create a
world-writable locale directory. By creating a specially crafted localized
message file, the attacker can cause a format string of their choosing to
be passed to a function in the printf(3) family. Using known format string
exploitation techniques, an attacker can then execute arbitrary code as
root. This should not be considered the only way to gain root privileges
with this vulnerability. However, iDefense has confirmed this method in
lab tests.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4273>
CVE-2007-4273

IBM DB2 Universal Database Multiple File Creation Vulnerabilities
Local exploitation of multiple file creation vulnerabilities in IBM
Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.

These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. By setting certain
combinations of environment variables, an attacker is able to create or
append to arbitrary files on the system.

Analysis:
Exploitation allows local attackers to gain root privileges.

In at least one case, the attacker's umask will be honored when creating
files. In this case, the attacker could create world-writable root-owned
files anywhere on the system. By targeting specific system files, such as
/etc/ld.so.preload or various cron data file locations, an attacker could
execute arbitrary code with superuser privileges.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4272>
CVE-2007-4272

IBM DB2 Universal Database Directory Traversal Vulnerability
Local exploitation of a directory traversal vulnerability in IBM Corp.'s
DB2 Universal Database allows attackers to cause a denial of service (DoS)
condition or elevate privileges to root.

Some DB2 binaries that are installed setuid-root will save event
information to a log file. When creating the full path to the destination
file, an environment variable is concatenated with "/tmp/". Since there is
no checking for path traversal strings, such as "../", within the
environment variable, an attacker is able to create arbitrary files on the
system.

Analysis:
Exploitation allows local attackers to gain root privileges.

It should be noted that attackers do not appear to have any control over
the contents of the data written. As such, privilege escalation can occur
in combination with a vulnerability that relies on the ability to create a
specially crafted file name. Denying service to the machine is trivial by
writing to /etc/nologin or corrupting other critical system files.

Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix
Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system.
All prior versions, as well as builds for other UNIX-based operating
systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4271>
CVE-2007-4271

IBM DB2 Universal Database Multiple Race Condition Vulnerabilities
Local exploitation of multiple race condition vulnerabilities in IBM
Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.

These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. In each case, a race
condition exists between a check to see if an existing file is a symbolic
link and modifying it. By quickly and repeatedly removing and recreating
the file as a symbolic link, an attacker could modify arbitrary files with
root privileges.

Analysis:
Exploitation allows local attackers to gain root privileges.

Depending on the specific vulnerability, the attacker may have little or
no control over the contents of data written to the file. In most cases,
this does not significantly impact exploitation since file permissions
allow the file to be written to by the attacker.

Detection:
iDefense confirmed the existence of these vulnerabilities in version 9.1
Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux
system. All prior versions, as well as builds for other UNIX-based
operating systems, are suspected to be vulnerable.

Workaround:
Setting more strict permissions on the DB2 instance directory can help
mitigate some of these vulnerabilities. Removing the setuid-bit from all
programs included with DB2 can also help mitigate exposure. Note, these
configuration changes have not been thoroughly tested and may cause
adverse behavior.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4270>
CVE-2007-4270

Vendor response:
IBM Corp. has addressed these vulnerabilities by releasing V9 Fix Pack 3
and version V8 FixPak 15 of its Universal Database product. More
information can be found at the following URLs.

V8: <http://www-1.ibm.com/support/docview.wss?uid=swg21256235>
http://www-1.ibm.com/support/docview.wss?uid=swg21256235
V9: <http://www-1.ibm.com/support/docview.wss?uid=swg21255572>
http://www-1.ibm.com/support/docview.wss?uid=swg21255572


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=578>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=578,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=579,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580,

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=581,

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=582
and

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=583



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages