Litchfield: Database security is 'IT's biggest problem'

At Black Hat USA 2006, database security guru David Litchfield unveils 20-plus IBM Informix flaws that attackers could exploit to create malicious files, gain DBA-level privileges and access sensitive data.

In recent years, security guru David Litchfield has focused much of his Black Hat stage time on database giant Oracle . and Oracle database flaws. This time around, however, he set his sights on 20-plus vulnerabilities in IBM's Informix family of database products.

During the opening day of Black Hat USA 2006 Wednesday, Litchfield, managing director at NGS (Next Generation Security) Software, demonstrated how attackers could exploit the Informix security holes to create malicious files and libraries, gain database administrator (DBA)-level privileges, access sensitive data and cause a denial of service. He said the flaws illustrate the growing perils of database security in general and that IT shops must pay more attention to database security.

Black Hat USA 2006

Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.
"In my opinion, database security is riddled with holes and it's the biggest problem we face in IT today," he said.

Litchfield said he'll release advisories explaining the flaws in greater detail later Wednesday and Thursday, but other vulnerability watchdogs have already started posting their own advisories. Danish vulnerability clearinghouse Secunia, for example, issued an advisory describing approximately 16 flaws and credited Litchfield and his team with the discovery.

In my opinion, database security is riddled with holes and it's the biggest problem we face in IT today.
David Litchfield,
The specific vulnerabilities include:

  • Boundary errors in the "DBINFO()," "LOTOFILE()" and "FILETOCLOB()" functions that can be exploited to cause a buffer overflow.

  • A boundary error within the handling of usernames that can be exploited to cause a buffer overflow via an overly long username.

  • Arbitrary command execution via a "SET DEBUG FILE" statement.

  • Privilege escalation via C code UDR.

  • The storing of user passwords in plain text in shared memory.

  • Permissions for any user to create a database.

    The vulnerabilities affect IBM Informix versions 7.3, 9.4, and 10.0.

    The good news, Litchfield said, is that IBM has already addressed the flaws in versions 7.31.xD9, 9.40.xC8, or 10.00.xC4. Unlike his often strained exchanges with Oracle, Litchfield, said IBM has been responsive.

    For a time during the 1990s, Informix was the No. 2 database system after Oracle, Litchfield noted. IBM acquired Informix in 2001.

    While the Informix problems have been addressed, Litchfield said they point to a larger issue: Database flaws are pervasive throughout the industry. He again used Oracle as an example, noting how the database giant has fixed more than 100 serious flaws but has yet to address another 400-plus vulnerabilities, which is the estimated number of unpatched flaws according to his work and that of other researchers.

    Database attacks, he said, "offer the biggest potential for fraudulent activity and damage to companies' reputations and customer confidence." The long string of data breaches of the past year and a half, he said, are proof of this.

    "The database attacks are out there and these data breaches show it," he said. "They just aren't noticed at the time."

    While the best thing Informix customers can do is install the updated versions, Litchfield said there are other steps they should be taking to protect their systems. Priority one, he said, is to practice the policy of least privilege.

  • Read more on Database software