Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Informix
From: "Craig, Scott" <SCraig () KMART COM>
Date: Fri, 29 Sep 2000 08:39:58 -0400

Mark,

   I know you're asking for more of a DB scanner equivalent that handles
Informix, and I'd be interested in finding out if there's one as well.

   I'm not an Informix administrator or anything, but I have done a few
overall security reviews of systems that use Informix. Informix relies on
Unix accounts for it's database account access. ODBC connections into a
server using Informix can be vulnerable. Check the $INFORMIXDIR/etc/sqlhosts
file for a lead on shared databases. Find out if there are more than one
client application using the database, and then check ODBC settings on a PC
for each application. See if they use a fixed username/password for
accessing the database. Evaluate the Unix server host security as well. If
users access the database from Unix, or if some users other than
administrators can access a Unix shell on the server, I would bet that any
regular user could update (wipe-out) data in all tables not tied to database
internal operation, in other words, every table the application stores data.
If you have a security-minded database administrator, this may not be the
case.

    Sometimes the applications also add their own security. Identify the
tables where application security information is held. If the application
has various authorization levels, such as an admin level, see if a normal
user could update the table and grant themselves admin level access. If the
application allows an application admin to add users, this may also mean
there's something going on that adds a Unix account. Check for set-uid root
programs from the application. If they exist, inspect the source code (4GL,
embedded-C, whatever).

   Also check the raw partitions on the Unix host, and then check the
filesystem permissions to those partitions. Use the informix command "onstat
-d" for printing spaces and chunks to determine the partitions, and check
the onconfig files in $INFORMIXDIR/etc. The DBA can probably tell you
exactly where the partitions are... such as /dev/rootdbs .. or whatever they
call it. I believe they can put them just about anywhere.

Scott Craig
Information Security
Kmart Corporate Headquarters, Troy, MI
scraig () kmart com <mailto:scraig () kmart com>


                -----Original Message-----
                From:   Hyde, Mark (GEO) [mailto:Mark.Hyde () COMPAQ COM]
                Sent:   Thursday, September 28, 2000 4:59 AM
                To:     PEN-TEST () SECURITYFOCUS COM
                Subject:        [PEN-TEST] Informix

                Hello,

                I have been mandated to audit a critical Informix database
application on
                Unix.

                I would be very grateful for pointers to known security
vulnerabilities or
                backdoors (weak default installation settings, built-in
passwords etc) that
                are specific to Informix. Also if there are any tools out
there - freeware
                or commerical that can help to break the informix security.

                I have used DB scanner from ISS - but this does not perform
audits of
                Informix if a
                similar tool exist I would like to know about it.

                Any help, tips or tricks would be much appreciated.

                Thanks in advance,

                Mark Hyde
                Compaq Professional Services
                IT security consultant CISSP, CISA, MCSE.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault