Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2003-11-06-0710 Product : IBM DB2 UDB v8.1 Version : versions v7 and v8 Vendor : http://www-3.ibm.com/software/data/db2/ Class : Local Criticality : High Operating System(s) : *nix Notice ************************************************************************ The full technical details of this vulnerability can be found at: http://www.secnetops.com under the research section. Basic Explanation ************************************************************************ High Level Description : DB2 contains multiple local security issues. What to do : Apply v7fp11 (late November) and v8fp4. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has not yet created proof of concept. Low Level Description : DB2 UDB version 8.1 for Linux and Unix contains several local buffer overflows and format strings conditions. Our tests were performed against DB2 on linux as installed from 009_ESE_LNX_32_NLV.tar. Other unix variants may be affected in a similar manor. Depending on the options selected the DB2 installer *may* ask you to add several users to your machine. You are instructed to either add a new user or choose an existing username. These are the users I added for testing: dasusr:x:501:501::/home/dasusr:/bin/bash db2inst1:x:502:502::/home/db2inst1:/bin/bash db2fenc1:x:503:503::/home/db2fenc1:/bin/bash The above usernames *may* be used in several setuid applications included with DB2. The conditions we found are associated with the Instance user db2inst1. The following binaries contain multiple security issues in the form of both format strings issues and buffer overflows. -r-sr-s--x 1 root db2inst1 38044 Oct 11 07:26 db2start -r-sr-s--x 1 root db2inst1 84713 Oct 11 07:26 db2stop -r-sr-s--x 1 db2inst1 db2inst1 141857 Oct 11 07:26 db2govd Full details on the overflows and format strings conditions can be located at http://www.secnetops.com/research/advisories/SRT2003-11-06-0710.txt Workaround: chmod -s the above mentioned binaries or use vendor patches. Vendor Status : IBM has promptly attended to the issues at hand Fixpak 4 for v8 is available now at http://www-3.ibm.com/cgi-bin/db2www /data/db2/udb/winos2unix/support/download.d2w/report (wordwrapped). Fixpak 11 for v7 should be ready late november and will contain the equivalent fixes. Bugtraq URL : To be assigned. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales@secnetops.com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."