Vulnerabilities > CVE-2007-4270 - Multiple Unspecified vulnerability in IBM DB2 Universal Database

CVSS 6.9 - MEDIUM

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

ibm

nessus

NVD

Published: 2007-08-18

Updated: 2017-07-29

Summary

Multiple race conditions in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to gain root privileges via a symlink attack on certain files.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM DB2 Universal Database *	2

Nessus

NASL family	Databases
NASL id	DB2_9FP3.NASL
description	According to its version, the installation of IBM DB2 running on the remote host is affected by one or more of the following issues : - A local user may be able to overwrite arbitrary files, create arbitrary world-writeable directories, or gain root privileges via symlink attacks or specially crafted environment variables. (IY98210 / IY99261) - A user may be able to continue to execute a method even once privileges for the method have been revoked. (IY88226, version 8 only) - There is an unspecified issue allowing for privilege elevation when DB2
last seen	2020-06-01
modified	2020-06-02
plugin id	25905
published	2007-08-20
reporter	This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/25905
title	IBM DB2 < 9 Fix Pack 3 / 8 Fix Pack 15 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25905); script_version("1.34"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_cve_id("CVE-2007-2582", "CVE-2007-4270", "CVE-2007-4271", "CVE-2007-4272", "CVE-2007-4273", "CVE-2007-4275", "CVE-2007-4276", "CVE-2007-4417", "CVE-2007-4418", "CVE-2007-4423"); script_bugtraq_id(23890, 25339, 26010); script_name(english:"IBM DB2 < 9 Fix Pack 3 / 8 Fix Pack 15 Multiple Vulnerabilities"); script_summary(english:"Checks DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM DB2 running on the remote host is affected by one or more of the following issues : - A local user may be able to overwrite arbitrary files, create arbitrary world-writeable directories, or gain root privileges via symlink attacks or specially crafted environment variables. (IY98210 / IY99261) - A user may be able to continue to execute a method even once privileges for the method have been revoked. (IY88226, version 8 only) - There is an unspecified issue allowing for privilege elevation when DB2 'execs' executables while running as root. (IY98206 / IY98176) - There is an unspecified vulnerability related to incorrect authorization routines. (JR25940, version 8 only) - There is an unspecified vulnerability in 'AUTH_LIST_GROUPS_FOR_AUTHID'. (IZ01828, version 9.1 only) - There is an unspecified vulnerability in the 'db2licm' and 'db2pd' tools. (IY97922 / IY97936) - There is an unspecified vulnerability involving 'db2licd' and the 'OSSEMEMDBG' and 'TRC_LOG_FILE' environment variables. (IY98011 / IY98101) - There is a buffer overflow involving the 'DASPROF' environment variable. (IY97346 / IY99311) - There is an unspecified vulnerability that can arise during instance and FMP startup. (IZ01923 / IZ02067) - The DB2JDS service may allow for arbitrary code execution without the need for authentication due to a stack overflow in an internal sprintf() call. (IY97750, version 8 only) - The DB2JDS service is affected by two denial of service issues that can be triggered by packets with an invalid LANG parameter or a long packet, which cause the process to terminate (version 8 only). Note that there is currently insufficient information to determine to what extent the first set of issues overlaps the others." ); script_set_attribute(attribute:"see_also", value:"https://www.trustwave.com/Company/AppSecInc-is-now-Trustwave/"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Aug/313"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Aug/314"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Aug/315"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Aug/316"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Aug/317"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Aug/318"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Aug/319"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2007/Oct/153"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21255607"); script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg21255352"); script_set_attribute(attribute:"solution", value: "Apply IBM DB2 version 9 Fix Pack 3 / 8.1 Fix Pack 15 / 8.2 Fix Pack 8 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(22, 119, 134); script_set_attribute(attribute:"plugin_publication_date", value: "2007/08/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_ports("Services/db2das", 523); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("db2_report_func.inc"); port = get_service(svc:'db2das', default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/"+port+"/Level"); if ( level !~ '^9\\.[01]\\.' && level !~ '^([0-7]\\.\|8\\.[01])' ) exit(0, "The version of IBM DB2 listening on port "+port+" is not 9.0, 9.1, or less than or equal to 8.1.x and thus is not affected."); platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Windows x86 if (platform == 5) { if (level =~ '^9\\.') { fixed_level = '9.1.300.257'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } else { fixed_level = '8.1.15.254'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } } else if (platform == 18) { if (level =~ '^9\\.') { fixed_level = '9.1.0.3'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } else { if (level =~ '^8\\.1\\.0\\.') fixed_level = '8.1.0.136'; else fixed_level = '8.1.2.136'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (vuln) { report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : fixed_level); } else exit(0, "IBM DB2 "+level+" on " + report_phrase + " is listening on port "+port+" and is not affected.");

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 25339 CVE(CAN) ID: CVE-2007-4270,CVE-2007-4271,CVE-2007-4272,CVE-2007-4273,CVE-2007-4275,CVE-2007-4276 IBM DB2是一个大型的商业关系数据库系统，面向电子商务、商业资讯、内容管理、客户关系管理等应用，可运行于AIX、HP-UX、Linux、Solaris、Windows等系统。 IBM DB2的多个工具实现上存在漏洞，本地攻击者可能利用这些漏洞提升自己的权限。 IBM DB2在处理拥有提升权限的文件时没有执行充分的检查，导致在判断现有文件是否为符号链接和修改文件之间存在竞争条件。如果攻击者能够迅速并反复的重新创建符号链接文件，就可能以root用户权限修改任意文件。一些以setuid-root安装的DB2二进制程序会将事件信息保存到日志文件。在创建到目标文件的完整路径时，会将/tmp/连接到环境变量上。由于没有对环境变量中的路径遍历字符串（如../）执行检查，因此攻击者可以通过目录遍历攻击在系统上创建任意文件。 IBM DB2在处理拥有提升权限的文件时没有执行充分的检查，攻击者可以结合环境变量在系统上创建或附加任意文件。 DB2中所捆绑的一些setuid二进制程序没有安全的创建目录，在创建特定的目录结构时会跟随攻击者特制的符号链接，导致在文件系统中的任意位置创建完全可写的目录。 DB2可能允许在不可信任的路径中执行二进制程序或加载函数库，生成二进制程序或函数库的路径是基于攻击者控制的环境变量的；此外所要执行或加载的文件也是位于攻击者控制的目录中。 DB2没有对用户提供数据的长度执行充分的验证，如果攻击者通过某些环境变量指定了特制的字符串的话，就可能将字符串拷贝到栈上所存储的静态大小缓冲区，触发栈溢出并执行任意指令。 IBM DB2 Universal Database 9.1 IBM DB2 Universal Database 8.0 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href="http://www-1.ibm.com/support/docview.wss?uid=swg1IY88226" target="_blank">http://www-1.ibm.com/support/docview.wss?uid=swg1IY88226</a> <a href="http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940" target="_blank">http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940</a> <a href="http://www-1.ibm.com/support/docview.wss?uid=swg21255352" target="_blank">http://www-1.ibm.com/support/docview.wss?uid=swg21255352</a> <a href="http://www-1.ibm.com/support/docview.wss?uid=swg21255607" target="_blank">http://www-1.ibm.com/support/docview.wss?uid=swg21255607</a>
id	SSV:2138
last seen	2017-11-19
modified	2007-08-19
published	2007-08-19
reporter	Root
title	IBM DB2 Universal Database多个本地安全漏洞

Summary

Vulnerable Configurations

Nessus

Seebug

References