Informix Dynamic Server SET DEBUG FILE SQL语句任意命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193817 漏洞类型
发布时间 2006-08-16 更新时间 2006-09-19
CVE编号 CVE-2006-3860 CNNVD-ID CNNVD-200608-246
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006080116
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-246
|漏洞详情
InformixDynamicServer(IDS)是一款由IBM开发的数据库攻击者可以向SETDEBUGFILESQL语句和start_onpload及dbexp过程注入任意操作系统命令。注入到SETDEBUGFILE中的命令会以informix用户的权限执行;注入到dbexp或start_onpload中的命令会以登录用户的权限执行。
|漏洞EXP
NGSSoftware Insight Security Research Advisory

Name: Multiple Arbitrary Command Execution Vulnerabilities
Systems Affected: All versions of Informix
Severity: High
Vendor URL: http://www.ibm.com/
Author: David Litchfield [ davidl (at) ngssoftware (dot) com [email concealed] ]
Date of Public Advisory: 2nd August 2006
Advisory number: #NISR02082006F
CVEID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3860
Advisory URL: http://www.ngssoftware.com/research/

Description
***********
Informix Dynamic Server is a database developed by IBM. During a security 
assessment of Informix multiple arbitrary command execution flaws were 
found.

Details
*******
It is possible to inject arbitrary operating system commands into the SET 
DEBUG FILE SQL statement and the start_onpload
 and dbexp procedures. Any commands injected into SET DEBUG FILE will 
execute with the privileges of the informix user; any command injected into 
dbexp or start_onpload will execute with the privileges of the logged on 
user.

Fix Information
***************
IBM was alerted to these flaws on the 6th January 2005. Patches have now 
been made available.

NGSSQuirreL for Informix, an advanced vulnerability assessment scanner 
designed specifically for Informix, can be used to accurately determine 
whether your servers are vulnerable to this flaw. More information about 
NGSSQuirreL for Informix can be found here 
http://www.ngssoftware.com/products/database-security/ngs-squirrel-infor
mix.php

About NGSSoftware
*****************

NGSSoftware develops vulnerability assessment and compliancy tools for 
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and 
Informix. Headquartered in the United Kingdom NGS has offices in London, St. 
Andrews (UK), Sydney, Brisbane, and Perth (Australia) and Texas in the 
United States; NGSConsulting provide services to some of the largest and 
most demanding organizations around the globe.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries (at) ngssoftware (dot) com [email concealed]
|参考资料

来源:XF
名称:informix-setdebug-command-execution(28124)
链接:http://xforce.iss.net/xforce/xfdb/28124
来源:XF
名称:informix-sysmaster-command-execution(28121)
链接:http://xforce.iss.net/xforce/xfdb/28121
来源:BID
名称:19264
链接:http://www.securityfocus.com/bid/19264
来源:BUGTRAQ
名称:20060814MultipleArbitraryCommandExecutionVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/443185/100/0/threaded
来源:BUGTRAQ
名称:20060814Informix-Discovery,AttackandDefense
链接:http://www.securityfocus.com/archive/1/archive/1/443133/100/0/threaded
来源:VUPEN
名称:ADV-2006-3077
链接:http://www.frsirt.com/english/advisories/2006/3077
来源:MISC
链接:http://www.databasesecurity.com/informix/DatabaseHackersHandbook-AttackingInformix.pdf
来源:www-1.ibm.com
链接:http://www-1.ibm.com/support/docview.wss?uid=swg21242921
来源:SECUNIA
名称:21301
链接:http://secunia.com/advisories/21301
来源:OSVDB
名称:27686
链接:http://www.osvdb.org/27686
来源:SREASON
名称:1407
链接:http://securityreason.com/securityalert/1407