Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                           kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-11-06-0710
Product                 : IBM DB2 UDB v8.1
Version                 : versions v7 and v8
Vendor                  : http://www-3.ibm.com/software/data/db2/
Class                   : Local
Criticality             : High
Operating System(s)     : *nix


Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 


Basic Explanation
************************************************************************
High Level Description  : DB2 contains multiple local security issues.
What to do              : Apply v7fp11 (late November) and v8fp4.


Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has not yet created proof of concept. 

Low Level Description   : DB2 UDB version 8.1 for Linux and Unix contains
several local buffer overflows and format strings conditions. Our tests were
performed against DB2 on linux as installed from 009_ESE_LNX_32_NLV.tar.
Other unix variants may be affected in a similar manor.

Depending on the options selected the DB2 installer *may* ask you to add 
several users to your machine. You are instructed to either add a new user 
or choose an existing username. These are the users I added for testing:

dasusr:x:501:501::/home/dasusr:/bin/bash
db2inst1:x:502:502::/home/db2inst1:/bin/bash
db2fenc1:x:503:503::/home/db2fenc1:/bin/bash

The above usernames *may* be used in several setuid applications included
with DB2. The conditions we found are associated with the Instance user
db2inst1. 

The following binaries contain multiple security issues in the form of both
format strings issues and buffer overflows. 

-r-sr-s--x    1 root     db2inst1    38044 Oct 11 07:26 db2start
-r-sr-s--x    1 root     db2inst1    84713 Oct 11 07:26 db2stop
-r-sr-s--x    1 db2inst1 db2inst1   141857 Oct 11 07:26 db2govd

Full details on the overflows and format strings conditions can be located
at http://www.secnetops.com/research/advisories/SRT2003-11-06-0710.txt

Workaround: chmod -s the above mentioned binaries or use vendor patches. 

Vendor Status           : IBM has promptly attended to the issues at hand 
Fixpak 4 for v8 is available now at http://www-3.ibm.com/cgi-bin/db2www
/data/db2/udb/winos2unix/support/download.d2w/report (wordwrapped). Fixpak
11 for v7 should be ready late november and will contain the equivalent fixes.


Bugtraq URL             : To be assigned. 
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at sales@secnetops.com for further information on how to 
obtain proof of concept code.


----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."