|
|
|
|
| |
| DB2 UDB for iSeries supports stored procedures calls. It also allows the CREATE PROCEDURE statement to reference existing program objects. Unfortunately, it does nor require explicit definition of existing program objects as stored procedures, allowing the execution of ANY program via remote SQL calls (see http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/sqlp/rbafymst202.htm
|
| |
Credit:
The information has been provided by Shalom Carmel.
|
| |
Vulnerable systems:
* iSeries versions 3.2 - 5.2 (Verified for 4.4 - 5.1)
What is the impact of this vulnerability?
A. This vulnerability lets an otherwise limited user execute iSeries commands.
The iSeries contains a system program, QCMDEXC, that effectively provides a remote shell for command execution, similar to the SQL server xp_cmdshell procedure. With proper parameters, this program can be called to execute local commands.
B. This vulnerability lets a user execute REXX scripts.
The iSeries contains a system program, QREXX, that provides an API for executing REXX scripts on the server. With proper parameters, this program can be called to execute existing REXX scripts on the server.
C. A user can create new programs and new REXX scripts.
CL programs sources are kept in Source files (typically QCLSRC). REXX scripts are kept in Source files (Typically QREXSRC). Source files are accessible by SQL to modify, create and delete. An attacker can issue a stream of INSERT statements to a CL source file, and then compile it using the QCMDEXC shell. An attacker can issue a stream of INSERT statements to a REXX source file, and execute them using either QREXX, or the STRREXPRC command by QCMDEXC. Of course, source files also contain RPG, COBOL, and C programs, so an attacker can actually upload any program source to the server, compile it and run it.
CL command and REXX scripts can be used on their own to gain further access to the server and database, or as a tool to download additional programs or scripts via FTP and other tools.
Workarounds and/or fixes for this vulnerability:
1.Revoke Public authority to all *PGM objects in the system, unless you intend them to be called from SQL.
2.Revoke Public authority to QCMDEXC and QREXX, if possible.
3.A security package that monitors SQL exit programs may work, but only for IBM ODBC, and will not work for other vendors nor for DRDA access.
Recreation:
The SQL commands can be run against an AS400 ODBC, JDBC, DRDA or OLE DB connection. They can be executed using the iSeries CA express tool. An account on the iSeries is required.
Of course, a program can be written using the language of your choice to demonstrate the same..
1. First, let's make sure that QCMDEXC was not declared as a stored procedure
select * from sysprocs where upper(routine_name) = 'QCMDEXC'
2. Create a message queue called hack on the server
Call qcmdexc('crtmsgq hack' , 0000000012.00000)
3. Send message "hacked you" to message queue hack
Call qcmdexc('sndmsg ''hacked you'' hack' , 0000000024.00000)
ANY iSeries program can be properly supplied with parameters and executed in this way.
|
|
|
|
|
|
|
