IBM solidDB Authentication Bypass (April 8, 2011)
IBM solidDB is a relational database management system comprised of an in-memory, as well as traditional database. solidDB listens on two ports by default, TCP/1315 or TCP/2315. The format of the protocol used for network communication is proprietary and unpublished. However, it can be observed that all messages have a 15 byte header followed the data portion. The message header has the following format:
Offset Size Description -------- ------ --------------------- 0x0000 1 Unknown 0x0001 1 Unknown 0x0002 1 Unknown 0x0003 2 command type 0x0005 2 Unknown 0x0007 4 Unknown 0x000b 4 byte order specification 0x000f ? type-specific data
A breakdown of the type-specific data for the observed authentication related command follows:
Offset Size Description -------- ----- --------------------- 0x0000 4 Unknown 0x0004 4 Unknown 0x0008 4 username length 0x000c L username 0x000c+L 4 password hash length 0x0010+L M password hash
An authentication bypass vulnerability exists in the IBM solidDB product. The product allows a remote user to specify the password-hash length value. Any length value above 1 is accepted and used to validate user-supplied password hashes. Thus, by modifying the password hash length value to the minimum allowed value, the attacker can force the server to validate only a few bytes of the hash. As there are only fewer possible values represented by fewer bytes, an attacker can bypass authentication through fuzzing all possible values. A remote unauthenticated attacker may exploit this vulnerability by sending crafted messages with specially crafted password hash length and hash fields. Successful exploitation would allow the attacker to bypass the authentication checks of the database server.
SonicWall has released a new IPS signature to detect and block attack attempts targeting this vulnerability. The following signature was released:
- 6422 – IBM solidDB solid.exe Authentication Bypass