DB2 is IBM's relational database software, oriented toward the deployment and development of e-business, business intelligence, content management, and enterprise resource planning and customer relationship management solutions. DB2 can be deployed in AIX, HP-UX, Linux, Solaris, and Windows environments.
IBM's DB2 database ships with two vulnerable setuid binaries, namely db2licm and db2dart. Both binaries are vulnerable to a buffer overflow that allows a local attacker to execute arbitrary code on the vulnerable machine with privileges of the root user. The vulnerability is triggered providing a long command line argument to the binaries.
By default (in the environment available during research), the vulnerable binaries have the following privileges (for example in the case of db2licm): -r-sr-x--- 1 root db2iadm1 31926 Jun 21 2002 /home/db2inst1/sqllib/adm/db2licm
-r-sr-x--- 1 root db2asgrp 31926 Jun 21 2002 /home/db2as/sqllib/adm/db2licm
The db2as is the only user of the db2iadm1 group, and db2inst1 is the only user of the db2asgrp group. Therefore, in a default install, an attacker with access to the system with any those accounts, will be able to escalate privileges to the root account.
Technical Description - Exploit/Concept Code:
The following tests are enough to confirm a binary is vulnerable.
Executing these perl scripts should produce a segmentation fault in vulnerable binaries: /home/db2as/sqllib/adm/db2dart `perl -e 'print "A"x1287'`
Segmentation fault
/home/db2as/sqllib/adm/db2licm `perl -e 'print "A"x999'`
...
User Response: Enter the name of a file that exists and can be opened and try the command again.
Segmentation fault
...
Both binaries suffer from a simple stack based buffer overflow.
Exploitation of the vulnerabilities is trivial. To confirm the exploitability, sample exploit code was developed for DB2 7.1 binaries for the Linux operating system running on x86 and s390 systems.
