IBM IDS librpc.dll Buffer Overflow (Mar 5, 2010)

By

The IBM Informix is a family of relational database management system (RDBMS) products. The Informix Dynamic Server (IDS) is an online transaction processing data server. Numerous RPC services included in the IDS are provided through the Portmapper facility. Portmapper is a service that runs on many Unix based operating systems for the purpose of mapping SunRPC program numbers to network addresses. The portmapper protocol uses the SunRPC message format which facilitates an authentication mechanism. The RPC header has the following structure:

Offset Size Description ------ ---- ----------------------------------------------------- 0x00   4    XID 0x04   4    Message Type: Call (0) 0x08   4    RPC Version: 2 0x0C   4    Program: Portmap (100000) 0x10   4    Program Version: 2 0x14   4    Procedure 0x18   4    Credentials - Flavor 0x1C   4    Credentials - Length 0x20   x    Credentials - Structure

The structure of Credentials Structure is dependent on the value of Credentials Flavor. Informix uses a proprietary Credentials Flavor which is identified by the value 0x753D. The structure of this proprietary authentication mechanism is not fully known; however it is apparent that at least one string parameter, preceded by a value denoting its length, is expected.
There is a heap buffer overflow vulnerability in RPC library of IBM Informix portmapper module, librpc.dll. The vulnerabilities are due to improper boundary checking of the string parameter in the Informix flavor credentials structure.
The vulnerable function checks the length of the included string against a maximum value. If the string length is larger than the maximum, it is incremented by a fixed value and used as the size of buffer to be allocated. A copy operation then ensues which copies the entire string into the allocated buffer. If the supplied string length value is large enough such that the increment will wrap the integer around, then an insufficient buffer will be allocated. This will result in critical memory being overwritten by the string copy operation.
An attacker can craft a malicious Portmapper RPC message which may exploit this flaw leading to remote code execution in the context of the service.

SonicWALL has an IPS signature deployed which detects and blocks generic attacks targeting the Portmapper service. The following IPS signature is effective protection against attacks targeting this vulnerability:

  • 2068 – Novell NetWare Portmapper BO Attempt

This vulnerability has been assigned the id CVE-2009-2753 by Mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.