ibm db2 9.7 Exploiting the linker

2011.10.26
Credit: Tim Brown
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

I've recently been working on a paper on Linux and POSIX linkers, the most recent release of which can be found at: * http://www.nth-dimension.org.uk/downloads.php?id=77 I'm particularly interested in feedback on references or threats that I may have missed. As per the abstract, the aim of the paper wasn't to claim everything as my own but rather to document as much as possible about common flaws and how to identify them. Whilst working on the paper I came across a number of interesting bugs (some exploitable, others sadly not). The paper itself touches on the circumstances around CVE-2011-1126 but two other bugs also mentioned in the paper (one of which I released the advisory NDSA20110310 for) are potentially more useful so I've written PoC to exploit them: 1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using DB2 from normal user to root, the PoC is for Linux but based on testing the AIX version looks iffy too although I couldn't get gcc to generate a valid library to exploit it. 2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the QNX runtime linker which abuses an arbitrary file overwrite and race condition to get root. The paper is still a work in progress but both DB2 and QNX are available for download if you want to take them for a spin. Anyway, enjoy! Tim -- Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]> <http://www.nth-dimension.org.uk/>

References:

http://www.securityfocus.com/bid/48514
http://www.securityfocus.com/archive/1/518659
http://www.nth-dimension.org.uk/downloads.php?id=83
http://www.nth-dimension.org.uk/downloads.php?id=77


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top