Operating System:

Published:

13 January 2005

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

     ESB-2005.0036 -- NGSSoftware Insight Security Research Advisories
                    Multiple vulnerabilities in IBM DB2
                              13 January 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM DB2 8.1 Fixpak 7 and earlier
                   IBM DB2 7.x
Publisher:         NGSSoftware
Operating System:  UNIX variants
                   Linux variants
                   Windows
Impact:            Root Compromise
                   Execute Arbitrary Code/Commands
                   Increased Privileges
                   Denial of Service
Access:            Remote/Unauthenticated

Ref:               ESB-2005.0035

Original Bulletin: http://www.nextgenss.com/advisory.htm

- --------------------------BEGIN INCLUDED TEXT--------------------

Researchers at NGSSoftware have discovered multiple critical/high risk
vulnerabilities in IBM's DB2 Universal Database. Versions affected include

DB2 8.1 Fixpak 7 and earlier

IBM has updated Fixpak 6 and 7 to 6a and 7a to include fixes for these
flaws. In all, 20 vulnerabilities, mostly remotely exploitable buffer
overflows, have been addressed by the updates. The updated Fixpaks have just
been released and can be downloaded from

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html

The flaws fixed in these Fixpaks equate to NGSS BUGID 102, 103, 104, 105,
106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 117, 118, 119, 120, 121
and 122 from the Vendor Notification Alerts -
http://www.nextgenss.com/vna.htm.

- -------------------------------------------------------------------------------

NGSSoftware Insight Security Research Advisory

Name: IBM DB2 db2fmp buffer overflow
Systems Affected: DB2 8.1/7.x	
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005A
Advisory URL: http://www.ngssoftware.com/advisories/db205012005A.txt

Description
***********
IBM's DB2 database server suffers from a local attack whereby passing an
overly parameter to the db2fmp binary will overflow a stack based buffer.

Details
*******
db2fmp is used for running fenced libraries. A fenced library is one that is
not loaded into the main DB2 process so in the event of an error the server
is not taken down as well. On unix based versions of DB2, db2fmp is
installed setuid root. Exploiting this buffer overrun can allow a local
attacker to gain root privileges.

Note - Some versions may drop root privileges before the overflow can be
exploited.

Note - Whilst the overflow is present on Windows platforms it cannot be
exploited to gain elevated privileges.

Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x

NGSSQuirreL for DB2 (http://www.nextgenss.com/db2.htm) can be used to assess
whether your DB2 server is vulnerable to this.

- -------------------------------------------------------------------------------

Name: IBM DB2 libdb2.so.1 buffer overflow
Systems Affected: DB2 8.1/7.x	
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005B
Advisory URL: http://www.ngssoftware.com/advisories/db205012005B.txt

Description
***********
libdb2.so.1, one of the libraries supplied with IBM's DB2 database server
suffers from a buffer overflow vulnerability.

Details
*******
This vulnerability can be divided into two separate issues. Firstly, when
libdb2.so is loaded it reads the DBLPORT environment variable and copies the
value to a buffer in the .bss section. This buffer is overflowed. By
providing an overly long DB2LPORT environment variable it fills the
db2MLNPort_name buffer in the .bss section of libdb2.so.1 - then spills over
into the db2node_name buffer, into the instprof_path buffer, into the
instance_path buffer and so on all the way into the install_path buffer.
Secondly, when the sqloInstancePath() reads the install_path we overflow a
local stack based buffer of sqloGetInstancePath().

This can be exploited to gain root privileges. For example, db2cacpy is
setuid root. This program loads the library and calls sqloInstancePath()
overflowing the buffer.



Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x

- -------------------------------------------------------------------------------

Name: IBM DB2 call buffer overflow
Systems Affected: DB2 8.1/7.x	
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005C
Advisory URL: http://www.ngssoftware.com/advisories/db205012005C.txt

Description
***********
IBM's DB2 database server suffers from a stack based buffer overflow
vulnerability when using "call".

Details
*******
Under DB2 it is possible to load a library directly and execute a function:

call libname!function

By passing an overly long libname it is possible to overflow a stack based
buffer and overwrite the saved return address. When exploited this can allow
an attacker to gain elevated privileges.


Note 1) if an attacker can place an arbitrary library on the system (and
there are ways to do this via DB2 and SQL) then there is no need to exploit
this overflow. It is sufficient simply to create the library and export a
function that takes no parameters.

Note 2) "CREATE WRAPPERS" uses the same code as "CALL" and is presents
another vector.


Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x

- -------------------------------------------------------------------------------

Name: IBM DB2 JDBC Applet Server buffer overflow
Systems Affected: DB2 8.1
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005D
Advisory URL: http://www.ngssoftware.com/advisories/db205012005D.txt

Description
***********
IBM's DB2 JDBC Applet Server suffers from a stack based buffer overflow
vulnerability that can be exploited remotely without a user ID or password.

Details
*******
When a client connects to the JDBC applet server on TCP port 6789 it does so
using a proprietary protocol. The connection packet starts with
ValidDb2jdTokenFromTheClientSide and includes the username, the password,
the db2java.zip version and the database to connect to.

The problem arises as follows.

Firstly, an attacker attempts to authenticate to the JDBC applet server on
TCP 6789 with an overly long username of c. 2200 bytes then disconnects
gracefully.

Secondly, they reconnect, but this time send a short username but set the
db2java.zip version to something other than expected by the server. Set the
version to c. 544 unicode bytes \x00\x41.

An error is logged and at some stage the null terminator is removed and the
original username that was sent is concatentated to the db2java.zip version.

This is then copied to a stack based buffer and it overflows.


Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x

- -------------------------------------------------------------------------------

Name: IBM DB2 SATADMIN.SATENCRYPT buffer overflow
Systems Affected: DB2 8.1
Severity: Medium risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005E
Advisory URL: http://www.ngssoftware.com/advisories/db205012005E.txt

Description
***********
IBM's DB2 database server, when configured for Satellite Administration
includes a number of SQL functions. One of these, the SATENCRYPT function
suffers from a stack based buffer overflow vulnerability.

Details
*******
The SATENCRYPT function in the SATADMIN schema is vulnerable to a classic
stack based overflow. The satencrypt function is exported by db2prom.dll and
one of it's subfunctions creates a 40 byte buffer. User supplied data is
copied to the buffer until a null terminator is reached in a while loop. By
passing a parameter longer than 40 bytes allows the attacker to overflow the
buffer and overwrite the saved return address. By exploiting this an
attacker can gain elevated privileges.

Note - by default, public cannot execute this function.


Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x

- -------------------------------------------------------------------------------

Name: IBM DB2 Windows Permission Problems
Systems Affected: DB2 8.1
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: Chris Anley [ chris at ngssoftware.com ]
Relates to: http://www.ngssoftware.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005F
Advisory URL: http://www.ngssoftware.com/advisories/db205012005F.txt

Description
***********

Almost all shared memory sections and events in the Windows version of
DB2 have weak permissions; all sections can be read and written by
Everyone, and all events can be set and waited on by Everyone. This
results in a number of security issues relating to the privileges of
local users.

Details
*******

The numbers below are NGS BUGID reference numbers mentioned in
http://www.ngssoftware.com/advisories/db2-02.txt

107) Depending on the server's authentication mode, any user can read
plaintext windows usernames and passwords from the
'DB2SHMSECURITYSERVICE' section. If the authentication mode is 'client',
the username and password combinations for all client connections can be
read from this section.

The data in this section persists until another connection is made.

108) Any user can shut down DB2, by setting the event named
'DB2SHUTDOWNSEM'+ pid, for example

DB2SHUTDOWNSEM000002ec

109) Any user can DOS the "DB2 Security Server", by writing non-zero
values to the section 'DB2SHMSECURITYSERVICE', followed by setting the
security service 'input' event, to make the service read the input data:

DB2NTSECURITYINPUT

The service will then crash.

110) Any user can read potentially sensitive query and/or query result
data from a number of shared memory sections. The following sections are
marked readable by 'Everybody'

section read DB20QM
section read DB2GLBQ0QM
section read DB2SHMDB2_0APP
section read DB2SHMDB2_0APL00000003
section read DB2SHMDB2_0APL00000004
section read DB2SHMDB2_0APL00000005
...etc

111) After writing to the world-writeable section 'DB20QM':

section write DB20QM

... the DB2 'command line processor' will not run, nor will the 'command
center', the server has effectively been DOSsed.

Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html -
DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html -
DB2 v7.x

- -------------------------------------------------------------------------------

Name: IBM DB2 to_char and to_date Denial Of Service
Systems Affected: DB2 8.1
Severity: High risk from local
Vendor URL: http://www.ibm.com/
Author: Chris Anley [ chris at ngssoftware.com ]
Relates to: http://www.ngssoftware.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005G
Advisory URL: http://www.ngssoftware.com/advisories/db205012005G.txt

Description
***********
IBM DB2 is vulnerable to Denial of Service conditions when processing
certain function calls.

Details
*******
The numbers below are NGS BUGID reference numbers mentioned in
http://www.ngssoftware.com/advisories/db2-02.txt

112) If the to_char function is called with an empty string for its
second parameter, DB2 dereferences a null pointer and terminates:

select to_char('aaa','') from sysibm.sysdummy1

113) If the to_date function is called with an empty string for its
second parameter, DB2 dereferences a null pointer and terminates:

select to_date('aaa', '') from sysibm.sysdummy1

In both cases, DB2 must be restarted in order to restore normal
functionality.

Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html -
DB2 v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html -
DB2 v7.x

- -------------------------------------------------------------------------------

Name: IBM DB2 XML functions overflows
Systems Affected: DB2 8.1
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005H
Advisory URL: http://www.ngssoftware.com/advisories/db205012005H.txt

Description
***********
IBM's DB2 database server contain four XML functions that suffer from stack
based buffer overflow vulnerabilities.

Details
*******
The xmlvarcharfromfile suffers from a buffer overflow vulnerability. When
and only when, 94 bytes are supplied for the second argument a pointer to
the user supplied string is written over the saved return address so when
ucnv_open_2_0 (in db2xmlfn.dll) returns - it does so into the string. This
allows an attacker to run arbitrary code and elevate privileges.

The xmlclobfromfile, xmlfilefromvarchar and xmlfilefromclob functions are
also vulnerable.


Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x

- -------------------------------------------------------------------------------

Name: IBM DB2 XML functions file creation vulnerabilities
Systems Affected: DB2 8.1
Severity: High risk from remote
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ david at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/db2-02.txt
Date of Public Advisory: 5th January 2005
Advisory number: #NISR05012005I
Advisory URL: http://www.ngssoftware.com/advisories/db205012005I.txt

Description
***********
IBM's DB2 database server contain four XML functions that can be used to
read and write files on the system.

Details
*******
The XMLFileFromVarchar and XMLFileFromClob functions can be used to create
files on the remote server. If the file exists the original is overwritten
with the new content. The permissions of the account running DB2 is used and
not that of the user. This vulnerability can be used to create executable
binaries on the remote server as well. An attacker could create a library
for example and then load it via "CALL".

The XMLVarcharFromFile and XMLClobFromFile can be used to read files from
the remote server.

Fix Information
***************
IBM has written a patch and can be obtained with the latest fixpak.

http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2
v8.1
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2
v7.x

- -------------------------------------------------------------------------------


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQecUPSh9+71yA2DNAQJG3wQAksi/DOI2VYkCOnVtRw8wGJ0K2NBl/lwP
uy0oiUpgY/+2X/+ZGdUDYcDaAuVsjUCNfxGa9vYeyEoX2NJFMoVDWARc5p7RIaew
Rp+OKXadhUfoT+cIjiBEAHScAXjZ0yzgbcJfFrbgj2IatHdjIyaWLumg9PZshNpU
4zJcgHUxiaM=
=Ntz+
-----END PGP SIGNATURE-----