Date: Sat, 08 Nov 2003 11:38:29 -0500
From: KF <dotslash@snosoft.com.>
To: [email protected]Subject: SRT2003-11-06-0710 - IBM DB2 Multiple local security issues
--------------030900020209050509050508
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Full details on this issue are available on our website. There will be
no forced pdf files, and we have removed the java applet that so many of
you complained about. Registration is still necessary for indepth detail
on this issue. I have also attempted to stop the cross posting to the
mailing lists.
-KF
--------------030900020209050509050508
Content-Type: text/plain;
name="_SRT2003-11-06-0710.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="_SRT2003-11-06-0710.txt"
Secure Network Operations, Inc. http://www.secnetops.com/research
Strategic Reconnaissance Team [email protected]
Team Lead Contact [email protected]
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
To learn more about our company, products and services or to request a
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
call us at: 978-263-3829
Quick Summary:
************************************************************************
Advisory Number : SRT2003-11-06-0710
Product : IBM DB2 UDB v8.1
Version : versions v7 and v8
Vendor : http://www-3.ibm.com/software/data/db2/
Class : Local
Criticality : High
Operating System(s) : *nix
Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section.
Basic Explanation
************************************************************************
High Level Description : DB2 contains multiple local security issues.
What to do : Apply v7fp11 (late November) and v8fp4.
Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has not yet created proof of concept.
Low Level Description : DB2 UDB version 8.1 for Linux and Unix contains
several local buffer overflows and format strings conditions. Our tests were
performed against DB2 on linux as installed from 009_ESE_LNX_32_NLV.tar.
Other unix variants may be affected in a similar manor.
Depending on the options selected the DB2 installer *may* ask you to add
several users to your machine. You are instructed to either add a new user
or choose an existing username. These are the users I added for testing:
dasusr:x:501:501::/home/dasusr:/bin/bash
db2inst1:x:502:502::/home/db2inst1:/bin/bash
db2fenc1:x:503:503::/home/db2fenc1:/bin/bash
The above usernames *may* be used in several setuid applications included
with DB2. The conditions we found are associated with the Instance user
db2inst1.
The following binaries contain multiple security issues in the form of both
format strings issues and buffer overflows.
-r-sr-s--x 1 root db2inst1 38044 Oct 11 07:26 db2start
-r-sr-s--x 1 root db2inst1 84713 Oct 11 07:26 db2stop
-r-sr-s--x 1 db2inst1 db2inst1 141857 Oct 11 07:26 db2govd
Full details on the overflows and format strings conditions can be located
at http://www.secnetops.com/research/advisories/SRT2003-11-06-0710.txt
Workaround: chmod -s the above mentioned binaries or use vendor patches.
Vendor Status : IBM has promptly attended to the issues at hand
Fixpak 4 for v8 is available now at http://www-3.ibm.com/cgi-bin/db2www
/data/db2/udb/winos2unix/support/download.d2w/report (wordwrapped). Fixpak
11 for v7 should be ready late november and will contain the equivalent fixes.
Bugtraq URL : To be assigned.
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales
department at [email protected] for further information on how to
obtain proof of concept code.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."
--------------030900020209050509050508--