SQL Buffer Overflows in Informix
Informix suffers from a number of buffer overflow vulnerabilities that can be exploited via SQL. Some of them we've already discussed, but other overflows known to be vulnerable in Informix 9.40 version 5 include:
DBINFO LOTOFILE FILETOCLOB
SET DEBUG FILE ifx_file_to_file
By exploiting these overflows an attacker can execute code as the Informix user.
Local Attacks Against Informix Running on Unix Platforms
Before getting to the meat, it's important to remember that, while these attacks are described as local, remote users can take advantage of these, too, by using some of the shell vulnerabilities described earlier. When Informix is installed on Unix-based platforms a number of binaries have the setuid and setgid bits set. From Linux:
-rwsr-sr-x 1 root informix 13691 Sep 16 04:28 ifmxgcore -rwsr-sr-x 1 root informix 965461 Jan 13 14:23 onaudit -rwsr-sr-x 1 root informix 1959061 Jan 13 14:23 onbar_d -rwxr-sr-x 1 informix informix 1478387 Jan 13 14:22 oncheck -rwsr-sr-x 1 root informix 1887869 Sep 16 04:31 ondblog -rwsr-sr-x 1 root informix 1085766 Sep 16 04:29 onedcu -rwxr-sr-x 1 informix informix 552872 Sep 16 04:29 onedpu -rwsr-sr-- 1 root informix 10261553 Jan 13 14:23 oninit -rwxr-sr-x 1 informix informix 914079 Jan 13 14:22 onload -rwxr-sr-x 1 informix informix 1347273 Jan 13 14:22 onlog -rwsr-sr-x 1 root informix 1040156 Jan 13 14:23 onmode -rwsr-sr-x 1 root informix 2177089 Jan 13 14:23 onmonitor -rwxr-sr-x 1 informix informix 1221725 ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
