-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Illegalaccess.org security advisory ii/02-2004 (www.illegalaccess.org) IBM cloudscape SQL Database (DB2J) vulnerable to remote command injection Brief ===== Product : IBM cloudscape database Version : 5.1 Vendor : IBM Impact : Code injection, DoS, information leakage Date : Public Release 02/04/2004, 11am GMT Summary ======= By using special crafted SQL statements *arbitrary executables* on the host executing the IBM cloudscape database server run on the sun jdk 1.4 (j2sdk) *can be started*. The vulnerability has been tested by illegalaccess.org with cloudscape 5.1 on windows xp and the jdk 1.4.2_03 . Workaround ========== A possible workaround is to create an adequate policy file to configure a security manager object for cloudscape. Cloudscape does not include a configuration so the policy settings have to evaluated manually. Simply granting AllPermissions to the cloudscape jar codebase does not solve the problem. With a proper setting installed the described attack leads to a security exception thrown by clouscape instead of starting the exe file which was desired by the attacker. This text will be also available soon at http://www.illegalaccess.org Product ======= IBM cloudscape database which is available at www.ibm.com It cannot be ruled out that cloudscape versions for other os contain similar vulnerabilities. Details ======= By using a special crafted SQL statement arbitrary executables on the host executing the Cloudscape database can be started. The exploit code is similar to the jboss/hsqldb and the pointbase exploit discovered earlier. Furthermore this is a typical case of exploit reuse as the sql statements only needed minor adjustment from hsqldb function definition syntax to cloudscape function definition. The vulnerability is resulting from inadequate security settings and library bugs in sun.* and org.apache.* packages in jdk 1.4.2_03 when running cloudscape without a fine-tuned security manager. Risk ==== In addition to the possibility of executing arbitrary executables, denial-of-service attacks as well as information leakage scenarios have been tested positively. The IBM jre bundled with Cloudscape is only known to be vulnerable a denial-of-service condition. Proof-Of-concept code ===================== The vendor (IBM) has been provided with proof-of-concept SQL code executing a notepad.exe on the machine executing the cloudscape database. Fix === There is no fix available until today, as IBM is ignoring the problem. Furthermore several IBM security experts have be alert via e-mail about the problem but no reaction has occured. A security policy can be retrieved by running cloudscape under the control of a policy recorder like jchains (www.jchains.org), and use the resulting policy file for safer production. More Information ================ On RSA Conference 2003 the problem areas in jdk 1.4 which allow remote code injection were presented. A a report, testing three major 100% pure java databases against these vulnerabilities will be made public in february. This work is part of my dissertation research and therefore a non-profit project. History ======= 15 Nov 2003 Vendor (IBM) informed via email 01 Dec 2003 Vendor (IBM) informed again 7 Feb 2004 public release Greetings ========= to Johnny Cyberpunk and his S/390, to Dark Tangent for still hiding my travel and parking allowance, g0dzilla, Weltmeister and halvar the viking - - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (AIX) iD8DBQFAIiNAqCaQvrKNUNQRAkOTAJ0QQG6eCk4b/f0RNK70Vt7d4i5BzwCfaUOY hJX+6u83XTglU+JWCJZKWZA= =HbZg -----END PGP SIGNATURE-----