Attacking Informix with Stored Procedural Language (SPL)

Informix supports procedures and functions, otherwise known as routines, written in Stored Procedural Language, or SPL. Procedures can be extended with C libraries or Java, and to help with the security aspects of this Informix supports the idea of giving users the “usage” permission on languages:

grant usage on language c to david

This will store a row in the syslangauth table authorizing account david the use of the C language. Even though public has usage of the SPL language by default, a user must have the “resource” permission or “dba” to be able to create a routine. In other words, those with only “connect” permissions can't create routines.

Running Arbitrary Commands with SPL

One of the more worrying aspects about SPL is the built-in SYSTEM function. As you'll probably guess this takes an operating system command as an argument and executes it:

CREATE PROCEDURE mycmd()
              DEFINE CMD CHAR(255);
              LET CMD = 'dir > c:\res.txt';
              SYSTEM CMD;
    END PROCEDURE;

Giving users the ability to run operating system commands is frightening — especially because it's bits of functionality like this that attackers will exploit to gain full control of the server. If you know a bit about Informix you already may be questioning this — the command runs with the logged-on user's privileges and not that of the Informix user — so where can the harm in that be? Well, being able to run OS commands even with low privileges is simply one step away ...

Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.