CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
0.4%
**Date Published:**2003-09-18
Last Update: 2003-09-17 **Advisory ID: **CORE-2003-0531 **Bugtraq ID: **8552, 8553 **CVE Name: **CAN-2003-0758, CAN-2003-0759 **Title: **Multiple IBM DB2 Stack Overflow Vulnerabilities **Class:**Boundary Error Condition (Buffer Overflow) **Remotely Exploitable:**No **Locally Exploitable:**Yes **Advisory URL: **<https://www.coresecurity.com/core-labs/advisories/multiple-ibm-db2-stack-overflow-vulnerabilities> [](<<cmsurl /content/multiple-ibm-db2-stack-overflow-vulnerabilities content>>)
IBM:
**Release Mode:**COORDINATED RELEASE
DB2 is IBM’s relational database software, oriented toward the deployment and development of e-business, business intelligence, content management, enterprise resource planning and customer relationship management solutions. DB2 can be deployed in AIX, HP-UX, Linux, Solaris and Windows environments.
IBM’s DB2 database ships with two vulnerable setuid binaries, namely db2licm and db2dart. Both binaries are vulnerable to a buffer overflow that allows a local attacker to execute arbitrary code on the vulnerable machine with privileges of the root user. The vulnerability is triggered providing a long command line argument to the binaries.
By default (in the environment available during research), the vulnerable binaries have the following privileges (for example in the case of db2licm):
-r-sr-x— 1 root db2iadm1 31926 Jun 21 2002 /home/db2inst1/sqllib/adm/db2licm
-r-sr-x— 1 root db2asgrp 31926 Jun 21 2002 /home/db2as/sqllib/adm/db2licm
The db2as is the only user of the db2iadm1 group, and db2inst1 is the only user of the db2asgrp group. So, in a default install, an attacker with access to the system with any those accounts, will be able to escalate privileges to the root account.
IBM DB2 Universal Data Base v7.2 for Linux/x86 is vulnerable.
IBM DB2 Universal Data Base v7.2 for Linux/s390 is vulnerable.
Other IBM DB2 versions and target platforms were not available for testing, but may be vulnerable as well.
[BID 8552, CAN-2003-0758]
The db2dart issue is fixed in Fixpak 10 for DB2 v7.2.
[BID 8553, CAN-2003-0759]
The db2licm issue is fixed in Fixpak 10a for DB2 v7.2.
If Fixpak 10a is not already available in this webpage, you can download it from IBM’s FTP site. For example the 32-bit Intel Linux version of fixpack 10a is located at:
<ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2linuxv7/FP10a_U495179>
This vulnerability was found by Juan Pablo Martinez Kuhn from Core Security. We wish to thank Juan Manuel Pascual Escriba for his cooperation testing and confirming the vulnerabilities. We also wish to thank Scott Logan from IBM for his quick response to this issue.
The following tests are enough to confirm a binary is vulnerable.
Executing these perl scripts should produce a segmentation fault in vulnerable binaries:
[BID 8552, CAN-2003-0758]
/home/db2as/sqllib/adm/db2dart perl -e 'print "A"x1287'
Segmentation fault
[BID 8553, CAN-2003-0759]
/home/db2as/sqllib/adm/db2licm perl -e 'print "A"x999'
…
User Response: Enter the name of a file that exists and can be
opened and try the command again.
Segmentation fault
…
Both binaries suffer from a simple stack based buffer overflow.
Exploitation of the vulnerabilities is trivial. To confirm the exploitability, sample exploit code was developed for DB2 7.1 binaries for the Linux operating system running on x86 and s390 systems.
Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets.
To learn more about Core Impact, the first comprehensive penetration testing framework, visit <https://www.coresecurity.com>.
The contents of this advisory are copyright © 2003 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.