[VulnWatch] SRT2003-11-06-0710 - IBM DB2 Multiple local security issues

From: KF (dotslash_at_snosoft.com)
Date: 11/08/03

  • Next message: Michael Scheidell: "[VulnWatch] Symbol Technologies Default WEP KEYS Vulnerability"
    Date: Sat, 08 Nov 2003 11:38:25 -0500
    To: vulnwatch@vulnwatch.org
    
    
    

    Full details on this issue are available on our website. There will be
    no forced pdf files, and we have removed the java applet that so many of
    you complained about.Registration is still necessary for indepth detail
    on this issue. I have also attempted to stop the cross posting to the
    mailing lists.

    -KF

    
    

    Secure Network Operations, Inc. http://www.secnetops.com/research
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    To learn more about our company, products and services or to request a
    demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
    call us at: 978-263-3829

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2003-11-06-0710
    Product : IBM DB2 UDB v8.1
    Version : versions v7 and v8
    Vendor : http://www-3.ibm.com/software/data/db2/
    Class : Local
    Criticality : High
    Operating System(s) : *nix

    Notice
    ************************************************************************
    The full technical details of this vulnerability can be found at:
    http://www.secnetops.com under the research section.

    Basic Explanation
    ************************************************************************
    High Level Description : DB2 contains multiple local security issues.
    What to do : Apply v7fp11 (late November) and v8fp4.

    Basic Technical Details
    ************************************************************************
    Proof Of Concept Status : SNO has not yet created proof of concept.

    Low Level Description : DB2 UDB version 8.1 for Linux and Unix contains
    several local buffer overflows and format strings conditions. Our tests were
    performed against DB2 on linux as installed from 009_ESE_LNX_32_NLV.tar.
    Other unix variants may be affected in a similar manor.

    Depending on the options selected the DB2 installer *may* ask you to add
    several users to your machine. You are instructed to either add a new user
    or choose an existing username. These are the users I added for testing:

    dasusr:x:501:501::/home/dasusr:/bin/bash
    db2inst1:x:502:502::/home/db2inst1:/bin/bash
    db2fenc1:x:503:503::/home/db2fenc1:/bin/bash

    The above usernames *may* be used in several setuid applications included
    with DB2. The conditions we found are associated with the Instance user
    db2inst1.

    The following binaries contain multiple security issues in the form of both
    format strings issues and buffer overflows.

    -r-sr-s--x 1 root db2inst1 38044 Oct 11 07:26 db2start
    -r-sr-s--x 1 root db2inst1 84713 Oct 11 07:26 db2stop
    -r-sr-s--x 1 db2inst1 db2inst1 141857 Oct 11 07:26 db2govd

    Full details on the overflows and format strings conditions can be located
    at http://www.secnetops.com/research/advisories/SRT2003-11-06-0710.txt

    Workaround: chmod -s the above mentioned binaries or use vendor patches.

    Vendor Status : IBM has promptly attended to the issues at hand
    Fixpak 4 for v8 is available now at http://www-3.ibm.com/cgi-bin/db2www
    /data/db2/udb/winos2unix/support/download.d2w/report (wordwrapped). Fixpak
    11 for v7 should be ready late november and will contain the equivalent fixes.

    Bugtraq URL : To be assigned.
    Disclaimer
    ----------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories but can be obtained under contract.. Contact our sales
    department at sales@secnetops.com for further information on how to
    obtain proof of concept code.

    ----------------------------------------------------------------------
    Secure Network Operations, Inc. || http://www.secnetops.com
    "Embracing the future of technology, protecting you."

     


  • Next message: Michael Scheidell: "[VulnWatch] Symbol Technologies Default WEP KEYS Vulnerability"

    Relevant Pages