Vigil@nce - IBM DB2: privilege elevation via install_jar
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the install_jar procedure, in order to create
a file outside the storage directory, which leads to code
execution.
Severity: 2/4
Creation date: 20/10/2010
DESCRIPTION OF THE VULNERABILITY
The sqlj.install_jar procedure stores a Java archive under the
"\function\jar\user\" catalog.
However, if the archive name contains "../" or "..\", the archive
is stored outside the catalog. An attacker can thus overwrite a
system file, in order to elevate his privileges.
An attacker can therefore use the install_jar procedure, in order
to create a file outside the storage directory, which leads to
code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-DB2-privilege-elevation-via-install-jar-10055