From aleph1@UNDERGROUND.ORG Thu Sep 7 18:24:53 2000 From: Aleph One To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 7 Sep 2000 12:29:12 -0700 Subject: [BUGTRAQ] ISS Advisory: Buffer Overflow in IBM Net.Data db2www CGI program -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory September 7, 2000 Buffer Overflow in IBM Net.Data db2www CGI program. Synopsis: Net.Data is a middleware application used for Web development and is available on Unix, Windows, OS/2, and mainframe platforms. The db2www component of Net.Data is a CGI program that handles requests from Web clients. An exploitable buffer overflow condition exists in the db2www program. Impact: This vulnerability may allow a remote attacker to execute arbitrary code under the privileges of a Web server or to crash a Web server. Affected Versions: All versions are affected. Platforms Affected: AIX, OS/2, Linux, Windows NT, HP-UX 11, and Sun are affected. Description: Net.Data allows Web applications to interface with a variety of database systems. It can encapsulate programs written in different languages (including SQL, Perl, and Java) into macro language scripts. Net.Data supports native APIs from different Web server vendors (Apache, Microsoft, Netscape, and Lotus) to improve the performance of Web applications. Net.Data powers other IBM applications such as Net.Commerce and WebSphere Commerce Suite. The problem is triggered when the program handles an extremely long PATH_INFO CGI environmental variable. The stack of a function is overflowed by this long variable causing the return address to be overwritten. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the running Web server process. Since Net.Data may run in the same address space of the Web server by using Web server APIs, it may be possible to completely crash a Web server under some configurations. Recommendations: IBM recommends applying the security patch, which is available at the Net.Data FTP site: ftp://ftp.software.ibm.com/software/net.data/fixes A separate patch is available for each platform: AIX: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.aix.tar.gz (The AIX fix for version 6 will also work for version 2) HP-UX 11: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.hp-ux.tar.gz Linux: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-7.1-0008.linux.tar.gz OS/2: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-7.1-0008.os2.zip Sun Solaris: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-0008.sunsol.tar.gz Windows NT: ftp://ftp.software.ibm.com/software/net.data/fixes/netdata-all-6.1-01-0008.winnt.zip The ISS SAFEsuite assessment software, Internet Scanner, will be updated to detect this vulnerability in an upcoming X-Press Update. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0677 to this issue. This is a candidate for inclusion in the CVE list (), which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Oliver Atoa-Ortiz of the ISS X-Force. Internet Security Systems would like to thank IBM for their response and handling of this vulnerability. _____ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBObfYmTRfJiV99eG9AQFPXQP+NchHZLv9Pebmo6b5VG9OXClfJcP3Xl3D ZTvf1x24vpP08IZ+ODAc5byWlJegC0631KVoBf5ZG0JZ6AEcxyitU2hzvgkwlEzm f8ia6ALEDojWYPKMSWyDIYERSvkQp0iaQkRTaBqKYjArFbIw6DTfCPYTHtF+RPHf FlzIBvEed3M= =ZPiB -----END PGP SIGNATURE-----