Vigil@nce - IBM DB2: privilege elevation via kbbacf1
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the kbbacf1 program, in order to gain
root privileges.
Severity: 2/4
Creation date: 01/07/2011
IMPACTED PRODUCTS
– IBM DB2 UDB
DESCRIPTION OF THE VULNERABILITY
The DT_RPATH and DT_RUNPATH fields of an ELF header indicate the
list of directories, where the dynamic loader ld.so has to search
libraries (then it uses environment variables such as
LD_LIBRARY_PATH, then ld.so.cache, and then standard directories).
The IBM DB2 product installs the /opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1
program as suid root. When it starts, is searches the libkbb.so
library.
However, the DT_RPATH field of kbbacf1 contains the current
directory (’.’). An attacker can thus create a malicious libkbb.so
library, and then call kbbacf1 to execute its code.
A local attacker can therefore use the kbbacf1 program, in order
to gain root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-DB2-privilege-elevation-via-kbbacf1-10798