In association with heise online

17 August 2007, 11:52

Privilege elevation with IBM's DB2

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider iDefense has reported multiple vulnerabilities in IBM's DB2 database server. Local users can exploit the vulnerabilities to gain system administrator privileges. IBM has provided fix packs to eliminate the vulnerabilities reported by iDefense as well as additional faults.

DB2 relies on operating system path variables to search for and load executable files and libraries. These variables can, however, be changed by a local attacker, so that an attacker-controlled directory gets searched first. Similar vulnerabilities allow the creation of files and directories with elevated privileges. Some of the server's executables that run with setuid root don't properly validate the environment variable of the temporary directory in which they create their log files. This enables attackers to perform a directory traversal attack by injecting ../ entries. Furthermore local users can exploit a race condition to modify a symbolic link in the file system and therefore gain access privileges to files with root privileges.

The provided fix packs also remedy other vulnerabilities. These allow users of the DB2 Version 8, for instance, to execute methods even when they have had their privileges revoked, until the cached authorisations have been deleted. The summaries for the fix packs list all of the eliminated vulnerabilities. The vulnerabilities affect IBM's DB2 in the versions 8 and 9. IBM provides fix pack 15 for DB2 8 and fix pack 3 for DB2 9, which eliminate the vulnerabilities. DB2 server administrators should install the fix packs and restrict database server access to trustworthy users.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit