__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                    IBM DB2 Buffer Overflow Vulnerabilities
                  [CORE Security Technologies CORE-2003-0531]

September 19, 2003 14:00 GMT                                      Number N-154
______________________________________________________________________________
PROBLEM:       IBM's DB2 relational database software, version 7.2, contains 
               two setuid binaries (db2licm and db2dart) which are vulnerable 
               to a buffer overflow. 
PLATFORM:      UNIX and LINUX 
DAMAGE:        Local attackers could escalate privileges, execute arbitrary 
               code, or cause a denial of service. 
SOLUTION:      IBM has released FixPak10a to correct these vulnerabilities. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A local attacker could gain root 
ASSESSMENT:    privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-154.shtml 
 ORIGINAL BULLETIN:  http://www.coresecurity.com/common/showdoc.php?
                     idx=366&idxseccion=10 
 PATCHES:            http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix
                     /support/download.d2w/report 
______________________________________________________________________________
[***** Start CORE Security Technologies CORE-2003-0531 *****]

Multiple IBM DB2 Stack Overflow Vulnerabilities

Core Security Technologies Advisory 
http://www.coresecurity.com

Date Published: 2003-09-18

Last Update: 2003-09-17

Advisory ID: CORE-2003-0531

Bugtraq ID: 8552, 8553

CVE Name: CAN-2003-0758, CAN-2003-0759

Title: Multiple IBM DB2 Stack Overflow Vulnerabilities

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: No

Locally Exploitable: Yes

Advisory URL: http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10

Vendors contacted: 
- IBM:
  . Core Notification: 2003-08-15
  . Notification acknowledged by IBM: 2003-08-18
  . Fixes available for [CAN-2003-0758]: 2003-08-31
  . Fixes available for [CAN-2003-0759]: 2003-09-17

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

DB2 is IBM's relational database software, oriented toward the deployment 
and development of e-business, business intelligence, content management, 
enterprise resource planning and customer relationship management solutions. 
DB2 can be deployed in AIX, HP-UX, Linux, Solaris and Windows environments.

IBM's DB2 database ships with two vulnerable setuid binaries, namely db2licm 
and db2dart. Both binaries are vulnerable to a buffer overflow that allows 
a local attacker to execute arbitrary code on the vulnerable machine with 
privileges of the root user. The vulnerability is triggered providing a 
long command line argument to the binaries.

By default (in the environment available during research), the vulnerable 
binaries have the following privileges (for example in the case of db2licm):

-r-sr-x---    1 root     db2iadm1    31926 
     Jun 21  2002 /home/db2inst1/sqllib/adm/db2licm
-r-sr-x---    1 root     db2asgrp    31926 
     Jun 21  2002 /home/db2as/sqllib/adm/db2licm

The db2as is the only user of the db2iadm1 group, and db2inst1 is the only 
user of the db2asgrp group. So, in a default install, an attacker with 
access to the system with any those accounts, will be able to escalate 
privileges to the root account.


*Vulnerable Packages:*

IBM DB2 Universal Data Base v7.2 for Linux/x86 is vulnerable.
IBM DB2 Universal Data Base v7.2 for Linux/s390 is vulnerable.

Other IBM DB2 versions and target platforms were not available for testing, 
but may be vulnerable as well.


*Solution/Vendor Information/Workaround:*

[BID 8552, CAN-2003-0758]
The db2dart issue is fixed in Fixpak 10 for DB2 v7.2.

Fixpak 10 is available at:
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix
   /support/download.d2w/report


[BID 8553, CAN-2003-0759]
The db2licm issue is fixed in Fixpak 10a for DB2 v7.2.

Fixpak 10a will soon be available at:
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix
    /support/v7fphist.d2w/report

If Fixpak 10a is not already available in this webpage, you can download 
it from IBM's FTP site. For example the 32-bit Intel Linux version of 
fixpack 10a is located at:
ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us
    /db2linuxv7/FP10a_U495179




*Credits:*

This vulnerability was found by Juan Pablo Martinez Kuhn from Core 
Security Technologies. 

We wish to thank Juan Manuel Pascual Escriba for his cooperation 
testing and confirming the vulnerabilities. We also wish to thank 
Scott Logan from IBM for his quick response to this issue.


*Technical Description - Exploit/Concept Code:*

The following tests are enough to confirm a binary is vulnerable.
Executing these perl scripts should produce a segmentation fault in 
vulnerable binaries:

[BID 8552, CAN-2003-0758]

/home/db2as/sqllib/adm/db2dart `perl -e 'print "A"x1287'`

Segmentation fault


[BID 8553, CAN-2003-0759]

/home/db2as/sqllib/adm/db2licm `perl -e 'print "A"x999'`
...
User Response:  Enter the name of a file that exists and can be
opened and try the command again.

Segmentation fault
...

Both binaries suffer from a simple stack based buffer overflow.
Exploitation of the vulnerabilities is trivial. To confirm the 
exploitability, sample exploit code was developed for DB2 7.1 
binaries for the Linux operating system running on x86 and s390 
systems.

*About Core Security Technologies*

Core Security Technologies develops strategic security solutions for 
Fortune 1000 corporations, government agencies and military organizations. 
The company offers information security software and services designed to 
assess risk and protect and manage information assets.

Headquartered in Boston, MA, Core Security Technologies can be reached 
at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive penetration 
testing framework, visit:
http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

The contents of this advisory are copyright (c) 2003 CORE Security 
Technologies and may be distributed freely provided that no fee is 
charged for this distribution and proper credit is given

[***** End CORE Security Technologies CORE-2003-0531 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CORE Security Technologies for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-144: Microsoft Visual Basic Buffer Overrun Vulnerability
N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability
N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities
N-147: Hewlett Packard Potential Security Vulnerability B.11.11 DCE
N-148: Sun Security Issue Involving the Solaris sadmind(1M) Daemon
N-149: Sendmail 8.12.9 Prescan Bug
N-150: Red Hat Updated KDE packages fix security issues
N-151: OpenSSH Buffer Management Error
N-152: Real Networks Streaming Server Vulnerability
N-153: New Worms and Helpful Computer Users