IBM DB2 db2dasrrm File Creation and Privilege Escalation Vulnerabilities - Security


Editor Login \| Register		Ekle

> World > Security

IBM DB2 db2dasrrm File Creation and Privilege Escalation Vulnerabilities - Security - World -

CWRedLight

(Date : 16.04.2008 22:00:43)

IBM DB2 db2dasrrm File Creation and Privilege Escalation Vulnerabilities

Secunia Advisory:	SA29784
Release Date:	2008-04-16

Critical:	Less critical
Impact:	Manipulation of data Privilege escalation
Where:	Local system
Solution Status:	Vendor Patch

Software:	DB2 Universal Database 8.x IBM DB2 for Linux UNIX and Windows 9.x

CVE reference:	CVE-2007-5664 (Secunia mirror) CVE-2007-5758 (Secunia mirror)

Description:
Two vulnerabilities have been reported in IBM DB2, which can be exploited by malicious, local users to perform certain actions with escalated privileges or gain escalated privileges.

1) A boundary error within the set-uid root db2dasrrm program can be exploited to cause a stack-based buffer overflow by setting the DASPROF environment variable to a specially crafted, overly long string.

Successful exploitation allows execution of arbitrary code with root privileges.

2) The "dasRecoveryIndex", "dasRecoveryIndex.tmp", ".dasRecoveryIndex.lock", and "dasRecoveryIndex.cor" files are created insecurely when the db2dasrrm program is started. This can be exploited via symlink attacks to overwrite arbitrary files with root privileges.

Successful exploitation requires access to an account that is allowed to start and stop the DB2 Administration Server (e.g. "dasusr1" or the "db2adm1" group).

The vulnerabilities are reported in version 9.1 (Fix Pack 4 and Fix Pack 3) on Linux. Other versions may also be affected.

Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.

Solution:
Update to the latest versions.

Version 8 FixPak 16:
http://www-1.ibm.com/support/docview.wss?uid=swg21256235

Version 9.1 Fix Pack 4a:
http://www-1.ibm.com/support/docview.wss?uid=swg21255572

Version 9.5 Fix Pack 1:
http://www-1.ibm.com/support/docview.wss?uid=swg21287889

Provided and/or discovered by:
1) Discovered by an anonymous person and reported via iDefense Labs.
2) Joshua J. Drake, iDefense Labs.

Original Advisory:
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=689
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=688

Derecelendir

Kaynak

http://secunia.com/advisories/29784/

İçerik İhbarı

Bağlantılar: bilgininefendisi.net

Open Source Document Project

AUP&TOS