In recent years, security guru David Litchfield has focused much of
his Black Hat stage time on database giant Oracle . and
Oracle database flaws. This time around,
however, he set his sights on 20-plus vulnerabilities in
IBM's Informix family of database products.
During the opening day of Black Hat USA 2006 Wednesday,
Litchfield, managing director at NGS (Next Generation Security)
Software, demonstrated how attackers could exploit the Informix
security holes to create malicious files and libraries, gain
database administrator (DBA)-level privileges, access sensitive
data and cause a denial of service. He said the flaws illustrate
the growing perils of database security in general and that IT
shops must pay more attention to database security.
"In my opinion, database security is riddled with holes and it's
the biggest problem we face in IT today," he said.
Litchfield said he'll release advisories explaining the flaws in
greater detail later Wednesday and Thursday, but other
vulnerability watchdogs have already started posting their own
advisories. Danish vulnerability clearinghouse Secunia, for
example, issued an advisory describing approximately 16 flaws and
credited Litchfield and his team with the discovery.
 | | | | | In my opinion, database security
is riddled with holes and it's the biggest problem we face in IT
today.
David
Litchfield, |
| | | | | |
| |
|
The specific vulnerabilities include:
- Boundary errors in the "DBINFO()," "LOTOFILE()" and
"FILETOCLOB()" functions that can be exploited to cause a buffer
overflow.
- A boundary error within the handling of usernames that can be
exploited to cause a buffer overflow via an overly long
username.
- Arbitrary command execution via a "SET DEBUG FILE"
statement.
- Privilege escalation via C code UDR.
- The storing of user passwords in plain text in shared
memory.
- Permissions for any user to create a database.
The vulnerabilities affect IBM Informix versions 7.3, 9.4, and
10.0.
The good news, Litchfield said, is that IBM has already
addressed the flaws in versions 7.31.xD9,
9.40.xC8, or 10.00.xC4. Unlike his often strained exchanges with
Oracle, Litchfield, said IBM has been responsive.
For a time during the 1990s, Informix was the No. 2 database
system after Oracle, Litchfield noted. IBM acquired Informix in
2001.
While the Informix problems have been addressed, Litchfield said
they point to a larger issue: Database flaws are pervasive
throughout the industry. He again used Oracle as an example, noting
how the database giant has fixed more than 100 serious flaws but
has yet to address another 400-plus vulnerabilities, which is the
estimated number of unpatched flaws according to his work and that
of other researchers.
Database attacks, he said, "offer the biggest potential for
fraudulent activity and damage to companies' reputations and
customer confidence." The
long string of data breaches of the past year
and a half, he said, are proof of this.
"The database attacks are out there and these data breaches show
it," he said. "They just aren't noticed at the time."
While the best thing Informix customers can do is install the
updated versions, Litchfield said there are other steps they should
be taking to protect their systems. Priority one, he said, is to
practice the policy of least privilege.