|
|
|
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=653
|
|
Vulnerable Systems:
* IBM Corp.'s DB2 Universal Database 9.1 with FixPack 2 installed on a Linux system
When the DB2INSTANCE environment variable is set, the libdb2 library will use the corresponding user's directory in place of the DB2 instance directory. This allows an unprivileged local user to control the directory structure on which several set-uid root binaries operate.
This vulnerability exists due to the way the db2pd binary loads a library. The program will construct the path to a library to be loaded by concatenating the path to the instance directory with the static string "/sqllib/lib/libdb2fmtdmp.so". When an attacker sets the DB2INSTANCE environment variable to their user name, the binary will load the library from their directory.
Analysis:
Exploitation allows local attackers to gain root privileges. In order to exploit this vulnerability, an attacker must be able to execute the set-uid root db2pd binary.
Workaround:
In order to mitigate exposure to this vulnerability, implement one of the following workarounds.
* Using strict permissions for the DB2 instance directory will prevent non-instance users from accessing the set-uid root binaries.
* Remove the set-uid bit from the db2pd binary.
Vendor response:
IBM Corp. has addressed these vulnerabilities by releasing V9 Fix Pack 4 and version V8 FixPak 16 of its Universal Database product. More information can be found at the following URLs.
* V8: http://www-1.ibm.com/support/docview.wss?uid=swg21256235
* V9: http://www-1.ibm.com/support/docview.wss?uid=swg21255572
CVE Information:
CVE-2007-5757
Disclosure Timeline:
03/22/2007 - Initial vendor notification
03/23/2007 - Initial vendor response
11/13/2007 - V9 Fix Pack 4 made available
01/28/2008 - V8 Fix Pack 16 made available
02/05/2008 - V8 Fix list made available
02/07/2008 - Public disclosure
|
|
|
|