Attacking Informix with Stored Procedural Language (SPL)
Informix supports procedures and functions, otherwise known as routines, written in Stored Procedural Language, or SPL. Procedures can be extended with C libraries or Java, and to help with the security aspects of this Informix supports the idea of giving users the “usage” permission on languages:
grant usage on language c to david
This will store a row in the syslangauth table authorizing account david the use of the C language. Even though public has usage of the SPL language by default, a user must have the “resource” permission or “dba” to be able to create a routine. In other words, those with only “connect” permissions can't create routines.
Running Arbitrary Commands with SPL
One of the more worrying aspects about SPL is the built-in SYSTEM function. As you'll probably guess this takes an operating system command as an argument and executes it:
CREATE PROCEDURE mycmd()
DEFINE CMD CHAR(255);
LET CMD = 'dir > c:\res.txt';
SYSTEM CMD;
END PROCEDURE;
Giving users the ability to run operating system commands is frightening — especially because it's bits of functionality like this that attackers will exploit to gain full control of the server. If you know a bit about Informix you already may be questioning this — the command runs with the logged-on user's privileges and not that of the Informix user — so where can the harm in that be? Well, being able to run OS commands even with low privileges is simply one step away ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
