Security Advisory: Informix - SQ_ONASSIST DoS Attack 12/04/07
Background
The Informix Dynamic Server (IDS) is a database software package from IBM available for open systems (Unix and Windows). Client software uses a proprietary protocol to communicate with the IDS over TCP/IP network. Protocol messages are used for session setup, authentication and data transfer.
Scope
Imperva’s Application Defense Center has conducted extensive research on the Informix network communication protocol and its implementation. As part of this research, the team has identified a vulnerability in the SQ_ONASSIST message that allows an attacker to terminate the IDS service, effectively denying service from all database users.
Findings
An attacker can send a SQ_ONASSIST message with an unexpected parameter, causing the server process to crash.
Details
A SQ_ONASSIST message may be sent by the client to request the server to provide information about some parts of its inner workings. The SQ_ONASSIST includes a length parameter field and an ON-ASSIST sub-function which may hold any one of the following 4 parameters: PDT_SET, PDT_UNSET, PDT_SEND_Server_Messages, FLUSH_Server_Internal_Cache.
A single SQ_ONASSIST message sent to the server with the parameter PDT_SEND_Server_Messages without first sending a SQ_ONASSIST message containing the parameter PDT_SET causes the server to panic and terminate unexpectedly.
Exploit
Establish a connection with the server and inject the server with a SQ_ONASSIST message containing the parameter PDT_SEND_Server_Messages, without sending a prior SQ_ONASSIST message with the PDT_SET parameter.
Tested Versions
Vulnerable
IBM Informix Dynamic Server Version 10.00
IBM Informix Dynamic Server Version 11.00
Not Vulnerable
IBM Informix Dynamic Server Version 9.40.FC9 HP-UX 11i Platform
Vendor’s Status
History
Notified on August 19, 2007
Fixed on October 2007
URL
Internal Code
APAR IC54369, IC53588
Workaround
Upgrade to IDS 10.00.*C7W1 or IDS 11.10.*C2
Discovered byNoa Bar-Yosef of the Imperva ADC
Disclaimer
The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright © 2007 Imperva, Inc.Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission.