O'Reilly logo

The Database Hacker's Handbook: Defending Database Servers by Bill Grindlay, John Heasman, Chris Anley, David Litchfield

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Attacking Informix with Stored Procedural Language (SPL)

Informix supports procedures and functions, otherwise known as routines, written in Stored Procedural Language, or SPL. Procedures can be extended with C libraries or Java, and to help with the security aspects of this Informix supports the idea of giving users the “usage” permission on languages:

grant usage on language c to david

This will store a row in the syslangauth table authorizing account david the use of the C language. Even though public has usage of the SPL language by default, a user must have the “resource” permission or “dba” to be able to create a routine. In other words, those with only “connect” permissions can't create routines.

Running Arbitrary Commands with SPL

One of the more worrying aspects about SPL is the built-in SYSTEM function. As you'll probably guess this takes an operating system command as an argument and executes it:

CREATE PROCEDURE mycmd()
              DEFINE CMD CHAR(255);
              LET CMD = 'dir > c:\res.txt';
              SYSTEM CMD;
    END PROCEDURE;

Giving users the ability to run operating system commands is frightening — especially because it's bits of functionality like this that attackers will exploit to gain full control of the server. If you know a bit about Informix you already may be questioning this — the command runs with the logged-on user's privileges and not that of the Informix user — so where can the harm in that be? Well, being able to run OS commands even with low privileges is simply one step away ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required