[VulnWatch] IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004)

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 03/09/04

  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue"
    To: <bugtraq@securityfocus.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <vulnwatch@vulnwatch.org>
    Date: Tue, 9 Mar 2004 14:28:06 -0000
    
    

    NGSSoftware Insight Security Research Advisory

    Name: IBM DB2 Remote Command Execution Privilege Upgrade
    Systems Affected: DB2 8.1 Enterprise Edition on Windows
    Severity: High/Low depending on environment
    Vendor URL: http://www.ibm.com/
    Author: David Litchfield [ david@ngssoftware.com ]
    Date Vendor Notified: 6th September 2003
    Date of Public Advisory: 9th March 2004
    Advisory number: #NISR09032004
    Advisory URL: http://www.ngssoftware.com/advisories/db2rmtcmd.txt

    Description
    ***********
    IBM's DB2 is the market share leader for database server software. One of
    the components, the Remote Command Server, contains a vulnerability that can
    allow attackers to gain administrative privileges on the server running DB2.

    Details
    *******
    DB2 with the Remote Command Server, DB2RCMD.EXE, listens on a named pipe
    DB2REMOTECMD and executes commands sent through it. When a connection is
    made to the pipe a new process is created, namely db2rcmdc.exe, and this
    executes the command. Whilst a valid Windows user id and password are
    required the command executes with the privileges of the "db2admin" account
    which is an administrator.

    This essentially means that even a low privileged "Guest" account can run
    commands remotely with administrative privileges. This can lead to a
    compromise of the server running DB2.

    Fix Information
    ***************
    IDM have included a fix for this problem in Fixpak 5 -
    http://www-306.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8fphist.d2w/report .
    The APAR for this specific issue is IY53894 -
    http://www-306.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/aparlib.d2w/display_apar_details?aparno=IY53894 .

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue"

    Relevant Pages

    • IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004)
      ... IBM DB2 Remote Command Execution Privilege Upgrade ... allow attackers to gain administrative privileges on the server running DB2. ...
      (NT-Bugtraq)
    • IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004)
      ... IBM DB2 Remote Command Execution Privilege Upgrade ... allow attackers to gain administrative privileges on the server running DB2. ...
      (Bugtraq)
    • Re: COBOL stored procedure for DB2
      ... Regarding how you precompile the app, you must specify target mfcob to db2 prep, rather than target ibmcob. ... Have you also confirmed that, prior to executing the CALL statement, the host variables specified within the client app have the appropriate values? ... MODIFIES SQL DATA ... confirm the cob command used for creating the SP module. ...
      (comp.lang.cobol)
    • Re: DFHUTILB and DFHUPROC
      ... The DSN command name needs to be available to your TSO session, either Batch ... This is documented in the DB2 manuals. ... CREATE STOGROUP CHELGRP ...
      (bit.listserv.ibm-main)
    • Re: DB2 controlfiles und passwordfiles ?
      ... Welches OS und welche DB2 setzt du denn ein? ... Command Line Processor for DB2 SDK 8.2.0 ... You can issue database manager commands and SQL statements from the ... db2 => connect to sample ...
      (de.comp.datenbanken.misc)