Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.


IBM Informix Dynamic Server librpc.dll Integer Overflow Remote Code Execution Vulnerability

Reference ID: SSA-1022
Publication date: 18.10.2010
Severity: critical
Discovered by: Sebastian Apelt

Affected versions: Please check the ZDI advisory for a list of vulnerable versions.

Description from ZDI advisory: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of IBM Informix Dynamic Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RPC protocol parsing library, librpc.dll, utilized by the ISM Portmapper service (portmap.exe) bound by default to TCP port 36890. A lack of sanity checking on supplied parameter sizes can result in an integer overflow and subsequent heap buffer under allocation which can finally lead to an exploitable memory corruption.

Additional information:
The vulnerability can be found in the function __lgto_xdr_string() which parses strings from the user-input.

The structure is simple:
[(dword)str_len] [string data of length str_len].

The heap overflow happens due to an integer overflow of the following form:
char* buf = malloc(str_len + 3);

Any value >= 0xfffffffd will trigger the integer overflow. Afterwards we copy str_len bytes into the small-sized buffer causing the heap overflow.

Notable is the patch-timeline:
2007-05-22 - Vulnerability reported to vendor
2010-10-18 - Coordinated public release of advisory