Vulnerabilities > CVE-2011-4061 - Unspecified vulnerability in IBM DB2 and Tivoli Monitoring for Databases

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
ibm
nessus

Summary

Multiple untrusted search path vulnerabilities in (1) db2rspgn and (2) kbbacf1 in IBM DB2 Express Edition 9.7, as used in the IBM Tivoli Monitoring for Databases: DB2 Agent, allow local users to gain privileges via a Trojan horse libkbb.so in the current working directory, related to the DT_RPATH ELF header.

Vulnerable Configurations

Part Description Count
Application
Ibm
2

Nessus

NASL familyDatabases
NASL idDB2_97FP6.NASL
descriptionAccording to its version, the installation of DB2 9.7 running on the remote host is prior to Fix Pack 6. It is, therefore, affected by multiple vulnerabilities : - A local user can exploit a vulnerability in the bundled IBM Tivoli Monitoring Agent (ITMA) to escalate their privileges. (CVE-2011-4061) - An authorized user with
last seen2020-06-01
modified2020-06-02
plugin id59904
published2012-07-10
reporterThis script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/59904
titleIBM DB2 9.7 < Fix Pack 6 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(59904);
  script_version("1.13");
  script_cvs_date("Date: 2018/07/06 11:26:06");

  script_cve_id(
    "CVE-2011-4061",
    "CVE-2012-0709",
    "CVE-2012-0711",
    "CVE-2012-0712",
    "CVE-2012-0713",
    "CVE-2012-2180"
  );
  script_bugtraq_id(51181, 52326, 53873);

  script_name(english:"IBM DB2 9.7 < Fix Pack 6 Multiple Vulnerabilities");
  script_summary(english:"Checks DB2 signature.");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by multiple vulnerabilities.");

  script_set_attribute(attribute:"description", value:
"According to its version, the installation of DB2 9.7 running on the
remote host is prior to Fix Pack 6. It is, therefore, affected by
multiple vulnerabilities :

  - A local user can exploit a vulnerability in the bundled
    IBM Tivoli Monitoring Agent (ITMA) to escalate their
    privileges. (CVE-2011-4061)

  - An authorized user with 'CONNECT' and 'CREATEIN'
    privileges on a database can perform unauthorized
    reads on tables. (CVE-2012-0709)

  - An unspecified error in the DB2 Administration Server
    (DAS) can allow remote privilege escalation or denial
    of service via unspecified vectors. Note that this
    issue does not affect Windows hosts. (CVE-2012-0711)

  - An authorized user with 'CONNECT' privileges from
    'PUBLIC' can cause a denial of service via unspecified
    methods related to DB2's XML feature. (CVE-2012-0712)

  - An unspecified information disclosure error exists
    related to the XML feature that can allow improper
    access to arbitrary XML files. (CVE-2012-0713)

  - An error exists related to the Distributed Relational
    Database Architecture (DRDA) that can allow denial of
    service conditions when processing certain request.
    (CVE-2012-2180)");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC79274");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC80729");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC81380");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC81390");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC81462");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IC82234");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21450666");
  script_set_attribute(attribute:"solution", value:"Apply IBM DB2 version 9.7 Fix Pack 6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/10");

  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("db2_das_detect.nasl");
  script_require_ports("Services/db2das", 523);

  exit(0);
}

include("global_settings.inc");
include("audit.inc");
include("misc_func.inc");
include("db2_report_func.inc");

port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE);

level = get_kb_item_or_exit("DB2/"+port+"/Level");
if (level !~ "^9\.7\.") exit(0, "The version of IBM DB2 listening on port "+port+" is not 9.7.");

platform = get_kb_item_or_exit("DB2/"+port+"/Platform");
platform_name = get_kb_item("DB2/"+port+"/Platform_Name");
if (isnull(platform_name))
{
  platform_name = platform;
  report_phrase = "platform " + platform;
}
else
  report_phrase = platform_name;


vuln = FALSE;
# Windows 32-bit/64-bit
if (platform == 5 || platform  == 23)
{
  fixed_level = '9.7.600.413';
  if (ver_compare(ver:level, fix:fixed_level) == -1)
    vuln = TRUE;
}
# Others
else if (
  # Linux, 2.6 kernel 32/64-bit
  platform == 18 ||
  platform == 30 ||
  # AIX
  platform == 20
)
{
  fixed_level = '9.7.0.6';
  if (ver_compare(ver:level, fix:fixed_level) == -1)
    vuln = TRUE;
}
else
{
  info =
    'Nessus does not support version checks against ' + report_phrase + '.\n' +
    'To help us better identify vulnerable versions, please send the platform\n' +
    'number along with details about the platform, including the operating system\n' +
    'version, CPU architecture, and DB2 version to [email protected].\n';
  exit(1, info);
}


if (vuln)
{
  report_db2(
      severity        : SECURITY_HOLE,
      port            : port,
      platform_name   : platform_name,
      installed_level : level,
      fixed_level     : fixed_level);
}
else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);

Oval

accepted2013-07-29T04:00:07.792-04:00
classvulnerability
contributors
  • nameScott Quint
    organizationDTCC
  • nameMaria Kedovskaya
    organizationALTX-SOFT
definition_extensions
commentIBM DB2 UDB is installed
ovaloval:org.mitre.oval:def:12505
descriptionMultiple untrusted search path vulnerabilities in (1) db2rspgn and (2) kbbacf1 in IBM DB2 Express Edition 9.7, as used in the IBM Tivoli Monitoring for Databases: DB2 Agent, allow local users to gain privileges via a Trojan horse libkbb.so in the current working directory, related to the DT_RPATH ELF header.
familywindows
idoval:org.mitre.oval:def:14063
statusaccepted
submitted2011-12-16T09:52:00.000-05:00
titleMultiple untrusted search path vulnerabilities in (1) db2rspgn and (2) kbbacf1 in IBM DB2 Express Edition 9.7, as used in the IBM Tivoli Monitoring for Databases: DB2 Agent, allow local users to gain privileges via a Trojan horse libkbb.so in the current working directory, related to the DT_RPATH ELF header.
version7

Seebug

bulletinFamilyexploit
descriptionBugtraq ID: 51181 CVE ID:CVE-2011-4061 IBM DB2 Universal Database Server是一款大型的商业关系数据库系统 IBM DB2/IBM DB2 Connect存在安全漏洞,允许恶意本地用户提升特权 Tivoli监视代理(ITMA)绑定的SUID &quot;tmaitm6/lx8266/bin/kbbacf1&quot;可执行文件不安全使用DT_RPATH来装载libkbb.so库,本地攻击者可以利用此漏洞诱使目标用户在特制库所在目录运行应用程序,可装载任意库提升权限 0 DB2 Connect 9.x IBM DB2 9.x 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://www.ibm.com/support/docview.wss?uid=swg21576372
idSSV:26133
last seen2017-11-19
modified2011-12-30
published2011-12-30
reporterRoot
titleIBM DB2 / DB2 Connect Tivoli监视代理DT_RPATH特权提升漏洞