-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Illegalaccess.org security advisory ii/02-2004 (www.illegalaccess.org)

IBM cloudscape SQL Database (DB2J) vulnerable to remote command injection

Brief
=====

Product   : IBM cloudscape database
Version   : 5.1
Vendor    : IBM
Impact    : Code injection, DoS, information leakage
Date      : Public Release 02/04/2004, 11am GMT

Summary
=======
By using special crafted SQL statements *arbitrary executables*
on the host executing the IBM cloudscape database server run on the
sun jdk 1.4 (j2sdk) *can be started*.
The vulnerability has been tested by illegalaccess.org with
cloudscape 5.1 on windows xp and the jdk 1.4.2_03 .

Workaround
==========
A possible workaround is to create an adequate policy file
to configure a security manager object for cloudscape.
Cloudscape does not include
a configuration so the policy settings have to evaluated
manually. Simply granting AllPermissions to the
cloudscape jar codebase does not solve the problem.
With a proper setting installed the described attack
leads to a security exception thrown by clouscape instead of
starting the exe file which was desired by the attacker.

This text will be also available soon at
http://www.illegalaccess.org

Product
=======
IBM cloudscape database which is available at www.ibm.com
It cannot be ruled out that cloudscape versions for other os contain similar
vulnerabilities.

Details
=======
By using a special crafted SQL statement arbitrary executables
on the host executing the Cloudscape database can be started.
The exploit code is similar to the jboss/hsqldb and
the pointbase exploit discovered earlier. Furthermore this is a typical
case of exploit reuse as the sql statements only needed minor
adjustment from hsqldb function definition syntax to
cloudscape function definition. The vulnerability is
resulting from inadequate security settings and library bugs in
sun.* and org.apache.* packages in jdk 1.4.2_03 when running
cloudscape without a fine-tuned security manager.

Risk
====
In addition to the possibility of executing arbitrary executables,
denial-of-service attacks as well as information leakage scenarios
have been tested positively. The IBM jre bundled with Cloudscape
is only known to be vulnerable a denial-of-service condition.

Proof-Of-concept code
=====================
The vendor (IBM) has been provided with proof-of-concept SQL code
executing a notepad.exe on the machine executing the cloudscape
database.

Fix
===
There is no fix available until today, as IBM is ignoring the
problem. Furthermore several IBM security experts have be
alert via e-mail about the problem but no reaction has occured.
A security policy can be retrieved by running cloudscape
under the control of a policy recorder like jchains (www.jchains.org),
and use the resulting policy file for safer production.

More Information
================
On RSA Conference 2003 the problem areas in jdk 1.4 which allow remote code
injection were presented. A a report, testing three major
100% pure java databases against these vulnerabilities will be made
public in february. This work is part of my dissertation research and
therefore a non-profit project.

History
=======
15 Nov 2003 Vendor (IBM) informed via email
01 Dec 2003 Vendor (IBM) informed again
7  Feb 2004 public release

Greetings
=========
to Johnny Cyberpunk and his S/390, to Dark Tangent for still hiding my
travel
and parking allowance, g0dzilla, Weltmeister and halvar the viking


- - --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (AIX)

iD8DBQFAIiNAqCaQvrKNUNQRAkOTAJ0QQG6eCk4b/f0RNK70Vt7d4i5BzwCfaUOY
hJX+6u83XTglU+JWCJZKWZA=
=HbZg
-----END PGP SIGNATURE-----