SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   IBM DB2 Vendors:   IBM
IBM DB2 Buffer Overflow in auth_list_groups_for_authid() Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018640
SecurityTracker URL:  http://securitytracker.com/id/1018640
CVE Reference:   CVE-2007-4423   (Links to External Site)
Updated:  Apr 15 2008
Original Entry Date:  Aug 31 2007
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.1 prior to Fix Pack 3
Description:   A vulnerability was reported in IBM DB2. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted data to trigger a buffer overflow in the auth_list_groups_for_authid() function and execute arbitrary code on the target system. The code will run with the privileges of the target service.

On Windows-based systems, the code will run with Administrator privileges.

A value longer than 40 bytes can trigger the overflow.

Ariel Sanchez of Application Security Inc. discovered this vulnerability.

The original advisory is available at:

http://www.appsecinc.com/resources/alerts/db2/2007-01.shtml

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (APAR IZ01828, 9.1 Fix Pack 3).

The IBM advisory is available at:

http://www-1.ibm.com/support/docview.wss?uid=swg1IZ01828

Vendor URL:  www-1.ibm.com/support/docview.wss?uid=swg1IZ01828 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Team SHATTER Advisory: IBM DB2 Buffer overflow in sysproc.auth_list_groups_for_authid

This is a multi-part message in MIME format.
--------------090802080906000506010507
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AppSecInc Team SHATTER Security Advisory

IBM DB2 Buffer overflow in sysproc.auth_list_groups_for_authid

August 31st 2007

Risk Level:
High

Affected versions:
DB2 9.1 Fixpack 2 Enterprise server edition

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Ariel Sanchez of
Application Security Inc.

Details:
Buffer overflow on sysproc.auth_list_groups_for_authid function. By
passing an overly long value of more then 40-bytes to the
auth_list_groups_for_authid function, a stack-based buffer can be
overflowed.

OS:
Windows 2003 sp1

Install options:
DB2 Installed with all defaults but with Notifications disabled

Impact:
An attacker can use this to cause a denial of service or take complete
control of an affected system.

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the fixpak 3 for DB2 version 9.1
http://www-306.ibm.com/software/data/db2/support/db2_9/

APAR:
IZ01828

Links:
Application Security, Inc advisory:
http://www.appsecinc.com/resources/alerts/db2/2007-01.shtml
IBM APAR: http://www-1.ibm.com/support/docview.wss?uid=swg1IZ01828

- --
_____________________________________________
Copyright (C) 2007 Application Security, Inc.
http://www.appsecinc.com


Application Security, Inc's database security solutions have helped over
900 organizations secure their databases from all internal and external
threats while also ensuring that those organizations meet or exceed
regulatory compliance and audit requirements.


Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFG2IDF9EOAcmTuFN0RAt6tAJ9arf9xanUeGqz2E+TNrAS8yq/zrwCfY8zJ
BBg5ivM9AHbNnsUxjnLNb3s=
=Qiy1
-----END PGP SIGNATURE-----

--------------090802080906000506010507
Content-Type: application/pgp-keys;
 name="0x64EE14DD.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="0x64EE14DD.asc"

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (MingW32)

mQGiBEWAUVwRBACEG29buZQSuLf2SYbTta43vwYucTwd4NA+tpgMNCyYhZPTZLGD
ra+Mg+Sj3Mv6RFQjMflKJkz0P/jnfCOqVyJWTIFdouvWh9fTU4XBikUdtU+3ZLmO
YvLAehJHMZqLUXd+wxcC+T/7qFioBoxVfZkfUfyXu2rdL6MRClGNp7w+twCg3D/f
lD8DT5Tls08gpMwAt3w6L+MD/1Qfn1vkOjo9WtDdKSodJ1Gz6XjRE4epZi2GqN5T
8dnC+4vmg8j8t9eQgkDa+kZ7Ke6MYbh69XthB9Jb3u+gNzhqHqNWZizOQH5IBYOD
orki10llvU4tEOaqWbZ0R//Z7vRmA5hPcczA8KMvHjqQGUbccasVswPiBMJIhXwj
dZqLA/99kpdCcxTKYZeW0o459BciJQULWyr6q7x6E1tjuhOFMeB6B+M4cLI50nkW
4+GXlgGbiQqO4eC9j3pkcmLXeZECLKKB5/sjixoorHBVUICrn0260ZkSbTNv9TyQ
DY1OJDwzOESNbnFiVxkDvLo3lssSlAR3i18rf3QSTepUNnkgALQkVGVhbSBTSEFU
VEVSIDxzaGF0dGVyQGFwcHNlY2luYy5jb20+iGYEExECACYFAkWAUVwCGyMFCQlm
AYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRD0Q4ByZO4U3WgWAJ9EjeTQI058
R1H1cG5nG08OijKi0QCfWRk3gCo/VJwDUZZTRu4ZAPAH6Nu5Ag0ERYBRZRAIAODL
A0pnKYiMIcRZLSpXmbSNSn8b7R91COkTjIGH85mR10e5406T37eh/Y3GViEe9WRY
phRf611ELeeiPsd9B6vCJzv5WNkVSk4n7WLfDjMkWWFZezeNDUKL3EsggR/xEWAD
yjvf4KVY6R2mLuk+oROoBGoY5028b6A+UmTiXh+0LdBxWoFHnYSXjfSXVUA+UoVV
uiews20akOgtwTcaVFg4w1eNyI59WtBWIomYpQSzc/LXcBfjGpcb+gqTUieFrBDI
IZVdu2LfaCaiRxse3KpZ89sGQDE6hBMvs8MbveRK71ZWH9fQI8jLg9KYOMtOzgJR
PqwGE7ub7TsF0CQQet8AAwUIANgKq9nxGjkq+2Bto6sBtzeGPm+9bAYaAxVtggeC
XR0/+i1B8L/OUA0m68Z2O0ZazXNQyl/xVBnHdVsg/Enxht3BxkU3/79pYLFuSiut
YAtdeIHVDwr4qqPfccEFUSKRWyclXHrwfPnDIcsaFIVyWMJ9OPQDJPcF5TXFBdY+
nh9bNPSCSpeDsXZqC9C5t3AkAOebCBDtncTxM5cg2kdzqfFo6+eg40RT95A+VHfj
GpRJPodT1RpvqqUQUnfl74jPm4VMymlSpHD7CUdhrbxDCCTpU3/U3lCyK78zuHGy
ENhPsKGtbb0Q22RsD1agTnm3Ou6ffPQl8W2H0RJnbA//JeGITwQYEQIADwUCRYBR
ZQIbDAUJCWYBgAAKCRD0Q4ByZO4U3XApAKCfBsYVhoZlRdqpPr6aIAyj4niJUgCg
mbaBonhsctYLDlaAchDUXapQE8k=
=sBRf
-----END PGP PUBLIC KEY BLOCK-----




--------------090802080906000506010507--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC