Bugtraqmailing list archives
IBM DB2 Windows Permission Problems (#NISR05012005F)
From: "NGSSoftware Insight Security Research" <nisr () nextgenss com>
Date: Wed, 5 Jan 2005 17:52:11 -0000
NGSSoftware Insight Security Research AdvisoryName: IBM DB2 Windows Permission ProblemsSystems Affected: DB2 8.1Severity: High risk from localVendor URL:http://www.ibm.com/Author: Chris Anley [ chris at ngssoftware.com ]Relates to:http://www.ngssoftware.com/advisories/db2-02.txtDate of Public Advisory: 5th January 2005Advisory number: #NISR05012005FAdvisory URL:http://www.ngssoftware.com/advisories/db205012005F.txtDescription***********Almost all shared memory sections and events in the Windows version ofDB2 have weak permissions; all sections can be read and written byEveryone, and all events can be set and waited on by Everyone. Thisresults in a number of security issues relating to the privileges oflocal users.Details*******The numbers below are NGS BUGID reference numbers mentioned inhttp://www.ngssoftware.com/advisories/db2-02.txt107) Depending on the server's authentication mode, any user can readplaintext windows usernames and passwords from the'DB2SHMSECURITYSERVICE' section. If the authentication mode is 'client',the username and password combinations for all client connections can beread from this section.The data in this section persists until another connection is made.108) Any user can shut down DB2, by setting the event named'DB2SHUTDOWNSEM'+ pid, for exampleDB2SHUTDOWNSEM000002ec109) Any user can DOS the "DB2 Security Server", by writing non-zerovalues to the section 'DB2SHMSECURITYSERVICE', followed by setting thesecurity service 'input' event, to make the service read the input data:DB2NTSECURITYINPUTThe service will then crash.110) Any user can read potentially sensitive query and/or query resultdata from a number of shared memory sections. The following sections aremarked readable by 'Everybody'section read DB20QMsection read DB2GLBQ0QMsection read DB2SHMDB2_0APPsection read DB2SHMDB2_0APL00000003section read DB2SHMDB2_0APL00000004section read DB2SHMDB2_0APL00000005...etc111) After writing to the world-writeable section 'DB20QM':section write DB20QM... the DB2 'command line processor' will not run, nor will the 'commandcenter', the server has effectively been DOSsed.Fix Information***************IBM has written a patch and can be obtained with the latest fixpak.http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html -DB2 v8.1http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html -DB2 v7.xNGSSQuirreL for DB2 (http://www.ngssoftware.com/db2.htm) can be used toassess whether your DB2 server is vulnerable to this.About NGSSoftware*****************NGSSoftware design, research and develop intelligent, advancedapplication security assessment scanners. Based in the United Kingdom,NGSSoftware have offices in the South of London and the East Coast ofScotland. NGSSoftware's sister company NGSConsulting, offers best ofbreed security consulting services, specialising in application, hostand network security assessments.http://www.ngssoftware.com/Telephone +44 208 401 0070Fax +44 208 401 0076enquiries () ngssoftware com
Current thread:
- IBM DB2 Windows Permission Problems (#NISR05012005F)NGSSoftware Insight Security Research (Jan 05)