|
|
|
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=578, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=579, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580,
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=581,
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=582 and
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=583
|
|
Vulnerable Systems:
* IBM Corp.'s DB2 Universal Database version 9.1 Fix Pack 2 and prior
IBM DB2 Universal Database buildDasPaths Buffer Overflow Vulnerability
Local exploitation of a buffer overflow vulnerability in IBM Corp.'s DB2 Universal Database could allow attackers to elevate privileges to the superuser.
This vulnerability specifically exists due to insufficient validation of the length of attacker supplied data. When an attacker specifies a specially crafted string via certain environment variables, the string is copied into a static sized buffer stored on the stack. By supplying too much data, an attacker can overflow the buffer and overwrite stack-stored execution control structures resulting in arbitrary code execution.
Analysis:
Exploitation allows local attackers to gain root privileges.
Non-executable memory technology such as PaX, DEP, exec-shield, or other NX or XD technology, can help prevent against exploitation of this type vulnerability.
Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system. All prior versions, as well as builds for other UNIX-based operating systems, are suspected to be vulnerable.
Workaround:
Setting more strict permissions on the DB2 instance directory can help mitigate some of these vulnerabilities. Removing the setuid-bit from all programs included with DB2 can also help mitigate exposure. Note, these configuration changes have not been thoroughly tested and may cause adverse behavior.
CVE Information:
CVE-2007-4276
IBM DB2 Universal Database Multiple Untrusted Search Path Vulnerabilities
Local exploitation of multiple untrusted search path vulnerabilities in IBM Corp.'s DB2 Universal Database could allow attackers to elevate privileges to the superuser.
These vulnerabilities exist due to the execution of binaries or loading of libraries within untrusted paths. In each case, the path to a binary or library is generated based on an environment variable that is under attacker control. Additionally, the files to be executed or loaded are located in a directory under attacker control.
Analysis:
Exploitation allows local attackers to gain root privileges.
In cases where programs are executed, an attacker need only create a specially crafted environment and file structure. In cases where a library is loaded, creating a library containing a specially crafted initialization section is sufficient.
In order to exploit some of these vulnerabilities, the attacker must be a member of the "db2grp1" or a group corresponding with an installed DB2 instance.
Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system. All prior versions, as well as builds for other UNIX-based operating systems, are suspected to be vulnerable.
Workaround:
Setting more strict permissions on the DB2 instance directory can help mitigate some of these vulnerabilities. Removing the setuid-bit from all programs included with DB2 can also help mitigate exposure. Note, these configuration changes have not been thoroughly tested and may cause adverse behavior.
CVE Information:
CVE-2007-4275
IBM DB2 Universal Database Directory Creation Vulnerability
Local exploitation of a directory creation vulnerability in IBM Corp.'s DB2 Universal Database could allow attackers to elevate privileges to the superuser.
This vulnerability exists due to insecure directory creation within setuid-binaries included with DB2. While creating specific directory structures, attacker created symbolic links will be followed. This allows world-writable directories to be created anywhere on the file system.
Analysis:
Exploitation allows local attackers to gain root privileges.
In order to execute arbitrary code, an attacker could create a world-writable locale directory. By creating a specially crafted localized message file, the attacker can cause a format string of their choosing to be passed to a function in the printf(3) family. Using known format string exploitation techniques, an attacker can then execute arbitrary code as root. This should not be considered the only way to gain root privileges with this vulnerability. However, iDefense has confirmed this method in lab tests.
Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system. All prior versions, as well as builds for other UNIX-based operating systems, are suspected to be vulnerable.
Workaround:
Setting more strict permissions on the DB2 instance directory can help mitigate some of these vulnerabilities. Removing the setuid-bit from all programs included with DB2 can also help mitigate exposure. Note, these configuration changes have not been thoroughly tested and may cause adverse behavior.
CVE Information:
CVE-2007-4273
IBM DB2 Universal Database Multiple File Creation Vulnerabilities
Local exploitation of multiple file creation vulnerabilities in IBM Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.
These vulnerabilities are due to insufficient checking being performed while handling files with elevated privileges. By setting certain combinations of environment variables, an attacker is able to create or append to arbitrary files on the system.
Analysis:
Exploitation allows local attackers to gain root privileges.
In at least one case, the attacker's umask will be honored when creating files. In this case, the attacker could create world-writable root-owned files anywhere on the system. By targeting specific system files, such as /etc/ld.so.preload or various cron data file locations, an attacker could execute arbitrary code with superuser privileges.
Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system. All prior versions, as well as builds for other UNIX-based operating systems, are suspected to be vulnerable.
Workaround:
Setting more strict permissions on the DB2 instance directory can help mitigate some of these vulnerabilities. Removing the setuid-bit from all programs included with DB2 can also help mitigate exposure. Note, these configuration changes have not been thoroughly tested and may cause adverse behavior.
CVE Information:
CVE-2007-4272
IBM DB2 Universal Database Directory Traversal Vulnerability
Local exploitation of a directory traversal vulnerability in IBM Corp.'s DB2 Universal Database allows attackers to cause a denial of service (DoS) condition or elevate privileges to root.
Some DB2 binaries that are installed setuid-root will save event information to a log file. When creating the full path to the destination file, an environment variable is concatenated with "/tmp/". Since there is no checking for path traversal strings, such as "../", within the environment variable, an attacker is able to create arbitrary files on the system.
Analysis:
Exploitation allows local attackers to gain root privileges.
It should be noted that attackers do not appear to have any control over the contents of the data written. As such, privilege escalation can occur in combination with a vulnerability that relies on the ability to create a specially crafted file name. Denying service to the machine is trivial by writing to /etc/nologin or corrupting other critical system files.
Detection:
iDefense confirmed the existence of this vulnerability in version 9.1 Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system. All prior versions, as well as builds for other UNIX-based operating systems, are suspected to be vulnerable.
Workaround:
Setting more strict permissions on the DB2 instance directory can help mitigate some of these vulnerabilities. Removing the setuid-bit from all programs included with DB2 can also help mitigate exposure. Note, these configuration changes have not been thoroughly tested and may cause adverse behavior.
CVE Information:
CVE-2007-4271
IBM DB2 Universal Database Multiple Race Condition Vulnerabilities
Local exploitation of multiple race condition vulnerabilities in IBM Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.
These vulnerabilities are due to insufficient checking being performed while handling files with elevated privileges. In each case, a race condition exists between a check to see if an existing file is a symbolic link and modifying it. By quickly and repeatedly removing and recreating the file as a symbolic link, an attacker could modify arbitrary files with root privileges.
Analysis:
Exploitation allows local attackers to gain root privileges.
Depending on the specific vulnerability, the attacker may have little or no control over the contents of data written to the file. In most cases, this does not significantly impact exploitation since file permissions allow the file to be written to by the attacker.
Detection:
iDefense confirmed the existence of these vulnerabilities in version 9.1 Fix Pack 2 of IBM Corp.'s DB2 Universal Database installed on a Linux system. All prior versions, as well as builds for other UNIX-based operating systems, are suspected to be vulnerable.
Workaround:
Setting more strict permissions on the DB2 instance directory can help mitigate some of these vulnerabilities. Removing the setuid-bit from all programs included with DB2 can also help mitigate exposure. Note, these configuration changes have not been thoroughly tested and may cause adverse behavior.
CVE Information:
CVE-2007-4270
Vendor response:
IBM Corp. has addressed these vulnerabilities by releasing V9 Fix Pack 3 and version V8 FixPak 15 of its Universal Database product. More information can be found at the following URLs.
V8: http://www-1.ibm.com/support/docview.wss?uid=swg21256235
V9: http://www-1.ibm.com/support/docview.wss?uid=swg21255572
|
|
|
|