IBM IDS librpc.dll Buffer Overflow

March 5, 2010

The IBM Informix is a family of relational database management system (RDBMS) products. The Informix Dynamic Server (IDS) is an online transaction processing data server. Numerous RPC services included in the IDS are provided through the Portmapper facility. Portmapper is a service that runs on many Unix based operating systems for the purpose of mapping SunRPC program numbers to network addresses. The portmapper protocol uses the SunRPC message format which facilitates an authentication mechanism. The RPC header has the following structure:

Offset Size Description ------ ---- ----------------------------------------------------- 0x00   4    XID 0x04   4    Message Type: Call (0) 0x08   4    RPC Version: 2 0x0C   4    Program: Portmap (100000) 0x10   4    Program Version: 2 0x14   4    Procedure 0x18   4    Credentials - Flavor 0x1C   4    Credentials - Length 0x20   x    Credentials - Structure

The structure of Credentials Structure is dependent on the value of Credentials Flavor. Informix uses a proprietary Credentials Flavor which is identified by the value 0x753D. The structure of this proprietary authentication mechanism is not fully known; however it is apparent that at least one string parameter, preceded by a value denoting its length, is expected.
There is a heap buffer overflow vulnerability in RPC library of IBM Informix portmapper module, librpc.dll. The vulnerabilities are due to improper boundary checking of the string parameter in the Informix flavor credentials structure.
The vulnerable function checks the length of the included string against a maximum value. If the string length is larger than the maximum, it is incremented by a fixed value and used as the size of buffer to be allocated. A copy operation then ensues which copies the entire string into the allocated buffer. If the supplied string length value is large enough such that the increment will wrap the integer around, then an insufficient buffer will be allocated. This will result in critical memory being overwritten by the string copy operation.
An attacker can craft a malicious Portmapper RPC message which may exploit this flaw leading to remote code execution in the context of the service.

SonicWALL has an IPS signature deployed which detects and blocks generic attacks targeting the Portmapper service. The following IPS signature is effective protection against attacks targeting this vulnerability:

  • 2068 - Novell NetWare Portmapper BO Attempt

This vulnerability has been assigned the id CVE-2009-2753 by Mitre.