SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Database)  >   IBM DB2 Vendors:   IBM
IBM DB2 Database Buffer Overflow in 'db2ckpw' Lets Local Users Gain Root Access on the System
SecurityTracker Alert ID:  1004352
SecurityTracker URL:  http://securitytracker.com/id/1004352
CVE Reference:   CAN-2002-1583   (Links to External Site)
Updated:  Aug 20 2004
Original Entry Date:  May 22 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6, 7
Description:   A buffer overflow vulnerability was reported in IBM's DB2 database. A local user can gain root access on the system.

IBM reported that there is a buffer overflow in the 'sqllib/security/db2ckpw' file that is used to verify usernames and passwords. A local user can supply a username that is longer than 8 characters to trigger the overflow and possibly cause arbitrary code to be executed. Because 'db2ckpw' is configured with set user id (suid) root privileges, the code will run with root level privileges.

Impact:   A local user can execute arbitrary code on the system with root privileges to gain root level access on the operating system.
Solution:   The vendor has released FixPaks:

For DB2, version 6, download and apply DB2 v6.1, FixPak 10 (use FixPak 10 version released after 6 March 2002).

For DB2, version 7, download and apply DB2, v7.2, FixPak 6.

These FixPaks can be downloaded from:

DB2 v7:
http://www-4.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report#V7

DB2 v6:
http://www-4.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report#V6

Vendor URL:  www.ibm.com/software/data/db2/udb/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Date:  Wed, 22 May 2002 00:57:24 -0400
Subject:  IBM OAR [Other Advisories]: Buffer overflow vulnerability inDB2 for



Subject: IBM OAR [Other Advisories]: Buffer overflow vulnerability in
DB2
for AIX, Linux, Solaris, and HP-UX


                            IBM Global Services
                         Managed Security Services
                      Outside Advisory Redistribution

10 MAY 2002  14:46 GMT                             
MSS-OAR-E01-2002:318.1
===========================================================================
The MSS Outside Advisory Redistribution is designed to provide customers
of
IBM Managed Security Services with access to the security advisories
sent
out by other computer security incident response teams, vendors, and
other
groups concerned about security.

IBM makes no representations and assumes no responsibility for the
contents
or accuracy of the advisories themselves.

IBM MSS is forwarding the following information from IBM. Contact
information for IBM is included in the forwarded text below. Please
contact
them if you have any questions or need further information.
===========================================================================
----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- -----BEGIN PGP SIGNED MESSAGE-----

IBM SECURITY ADVISORY

Wed May 08 13:29:22 CDT 2002
=========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:    Buffer overflow vulnerability in DB2 for AIX, Linux,
                  Solaris, and HP-UX

PLATFORMS:        DB2, versions 6 and 7, running on AIX, all versions

SOLUTION:         Apply the FixPaks, listed in this Advisory

THREAT:           Malicious user can gain root privileges

CERT Advisory:    NONE

=========================================================================
                           DETAILED INFORMATION

I.  Description

A security vulnerability was discovered in versions 6 and 7 of DB2 that
runs
on IBM AIX, Linux implementations, SUN Solaris, and HP's HP-UX.
Specifically, this is a buffer overflow condition in
sqllib/security/db2ckpw.

"db2ckpw" is an executable that runs as SUID (setuserid) root; DB2 uses
the
returns of this executable to verify usernames and passwords.

It takes a file descriptor as its argument and then reads username and
password information from that file descriptor. The buffer overflow
occurs
while processing the username.  The db2 client is trusted to make sure
that
the username is 8 characters or less.  By bypassing the db2 client
libraries
and sending info directly to db2ckpw, one can overflow the username
buffer
and execute arbitrary code as root.

II. Impact

Unauthorized privilege escalation (possibly to root) and execution of
arbitrary code.


III.  Solutions


      Workaround

      There is no workaround.


      Official fix

Customers are urged to immediately obtain the appropriate FixPak listed
below and apply it to their systems.

If you are running DB2, version 6, you need to download and apply DB2
v6.1,
FixPak 10 (use FixPak 10 version released after 6 March 2002).

If running DB2, version 7, download and apply DB2, v7.2, FixPak 6.

These FixPaks can be downloaded from:

DB2 v7:
http://www-4.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download
.d2w/report#V7

DB2 v6:
http://www-4.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download
.d2w/report#V6



IV.  Contact Information

Comments regarding the content of this announcement can be directed to:

   security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security
vulnerabilities, send email to:

security-alert@austin.ibm.com

with a subject of "get key".


If you would like to subscribe to the AIX security newsletter, send a
note
to aixserv@austin.ibm.com with a subject of "subscribe Security".

To cancel your subscription, use a subject of "unsubscribe Security". To
see
a list of other available subscriptions, use a subject of "help".

IBM and AIX are a registered trademark of International Business
Machines
Corporation.  All other trademarks are property of their respective
holders.

- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBPNsAqgsPbaL1YgqvAQFXjwQAkj9XoEs71wyC1yB7jvp6LYxsqoC1P7/r
haaoTPyN7DAfP1e5UX34YOjMBsaMrMehhn+9XWbhqeuR1aWgGI4L+vFZvxyXgD43
016/am3IJduCpzm7zu/UZhzZl8A0LM9vR+6hMJYAULFOc151jJoMVyhxJduIOkIj
J8xXL5g1CH8=
=7hsh
- -----END PGP SIGNATURE-----



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPNvPKMXrSKQHhgFwEQJrJgCglVwAtn2OZKT6BRWaO88w3G8PfqsAnRu8
tvCZpUdNyUOITXbFjjrF2buO
=+6H3
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.
===========================================================================
IBM's Managed Security Services (MSS) is a subscription-based Internet
security response service that includes computer security incident
response
and management, regular electronic verification of your Internet
gateway(s),
and security vulnerability alerts similar to this one that are tailored
to
your specific computing environment.  By acting as an extension of your
own
internal security staff, IBM MSS's team of Internet security experts
helps
you quickly detect and respond to attacks and exposures across your
Internet
connection(s).

As a part of IBM's Business Continuity and Recovery Service IBM's
Managed
Security Services is a component of IBM Global Services Privacy and
Security
Services suite of offerings.  To find out more about IBM Managed
Security
Services, send an electronic mail message to ers-sales@ers.ibm.com, or
call
1-800-426-7378.

IBM MSS maintains a site on the World Wide Web at
http://www-1.ibm.com/services/continuity/recover1.nsf/ers/mss+home
Visit the site for information about the service, copies of security
alerts,
team contact information, and other items.

IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature
mechanism
for security vulnerability alerts and other distributed information. 
The
IBM MSS PGP* public key is available from
  http://www-1.ibm.com/services/continuity/recover1.nsf/mss/PGP
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation
and
response coordination among computer security teams worldwide.

The information in this document is provided as a service to customers
of
IBM Managed Security Services.  Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or
implied, or assumes any legal liability or responsibility for the
accuracy,
completeness, or usefulness of any information, apparatus, product, or
process contained herein, or represents that its use would not infringe
any
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by IBM or its subsidiaries.  The views and
opinions of authors expressed herein do not necessarily state or reflect
those of IBM or its subsidiaries, and may not be used for advertising or
product endorsement purposes.
===========================================================================


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC