DB2 - L

 View Only
  • 1.  Unicode vulnerability

    Posted Nov 08, 2021 03:12 PM
    I'm being asked about a recent announcement of a vulnerability in the Unicode specification. The announcements are CVE-2021-42574 and CVE-2021-42694.   I have been unable to find any articles referring to Db2, has anyone else heard or seen anything ? 


    Thanks, 

    Kirk Hampton



  • 2.  RE: Unicode vulnerability

    Posted Nov 08, 2021 03:26 PM
    Hi Kirk,
    my first information was from this German, online IT magazine https://www.golem.de/news/trojan-source-programmiersprachen-lassen-sich-per-unicode-trojanisieren-2111-160751.html
    and some tweet https://twitter.com/LiveOverflow/status/1455288276764532737?s=20
    pointing to https://trojansource.codes

    Well, yes, interesting concept, but I see not much danger, if you don't bring in foreign source code into your system while using an editor, which is not capable to show unprintable sign.

    A plain old US developer will never see these attacks as long as his still sticks to 7-bit ASCII! :-D

    cheers
    Roland


    ------------------------------
    Roland Schock
    ARS Computer und Consulting GmbH
    ------------------------------



  • 3.  RE: Unicode vulnerability

    Posted Nov 10, 2021 06:40 AM
    Related to Db2...probably not.

    If I'm reading this right...and I may not be...this has to do with this modern development architecture where code links out to repositories not controlled by your institution. Someone could write some code in one of these repositories that, when driven through the compiler, could modify other code you're pulling into your deployment and inject something nefarious.

    Best way to protect against this is what Roland said...make sure if you're drawing in dependencies, they're coming from repositories you trust! Don't just grab something off of GitHub without validating it.


    But that's a developer concern. Regarding Db2...I don't know of anyone that's loading actual CODE from Unicode fields in the database. If you ARE, it's on whoever is receiving the data and storing it in your database to sanitize it. You could probably hack something up to look for certain character strings...but I'd say that's really not something the DBA should need to do, unless you've specifically been tasked to protect your development teams from doing absurdly reckless stuff.

    The only "code" that commonly gets stored in Db2 would be something like native SQL procedures...and again, on the developer to write secure code and not just cut-and-paste some bizarro-glyphs from the InterWebs.

    "Always sanitize everything" is a good rule-of-thumb. :)



    ------------------------------
    MarkWieczorkowski...
    ------------------------------



  • 4.  RE: Unicode vulnerability

    Posted Nov 10, 2021 06:58 AM

    Little Bobby Tables.  Knew him at school.  A wee forker he was, too.

     

    Just today I had someone ask me how to get rid of 'dodgy' data inserted into a table.  Seems some off-host front-end allowed a customer to enter their name as 'O'Reilly' and somewhere along the chain it's been translated into some gibberish non-displayable character, so appears as 'O.Reilly'.  Handy.  Short term bodge; use REPLACE to hide it.  Better fix; fix the data.  Even better fix; write your code correctly, validate the input and store the values sans translation jiggery pokery.

     

    This t'interweb thing will never catch on...

     

    And yes, technically . is a displayable character but you get what I mean.  ��

     

    Cheers,

     

     

    Raymond

     

    Midvale School for the Gifted: Today's Government | Trade ...

     

     






  • 5.  RE: Unicode vulnerability

    Posted Nov 16, 2021 04:35 PM
    Thank you all for the responses, I totally agree with what you are saying.
    And that all jives with my take on what I had been reading regarding this vulnerability. 
    Not a lot of experience with Unicode on a daily basis in my mainframe world,
    but I had been asked to explore our exposure to this vulnerability.  
     
    Thanks, 

    Kirk Hampton








  • 6.  RE: Unicode vulnerability

    Posted Nov 10, 2021 07:59 AM
    Challenge accepted!   (Not that I really had much time for it, but as others were also commenting on this.)
    In reference to https://trojansource.codes/trojan-source.pdf

    I don't know, if the source code survives the copy and paste into this forum

    --#SET TERMINATOR @

    CREATE OR REPLACE PROCEDURE sayHello (IN myFriend VARCHAR(100), OUT res VARCHAR(100))
    LANGUAGE SQL
    CONTAINS SQL
    NO EXTERNAL ACTION
    BEGIN
    SET res='Hello '||myFriend||'!';--
    RETURN ;--
    END@

    CREATE OR REPLACE PROCEDURE sayНello (IN myFriend VARCHAR(100), OUT res VARCHAR(100))
    LANGUAGE SQL
    CONTAINS SQL
    NO EXTERNAL ACTION
    BEGIN
    SET res='Привет '||myFriend||'!';--
    RETURN ;--
    END@

    CREATE OR REPLACE FUNCTION return_World()
    RETURNS VARCHAR(100)
    LANGUAGE SQL
    CONTAINS SQL
    NO EXTERNAL ACTION
    BEGIN ATOMIC
    DECLARE out_val VARCHAR(100);--
    SET out_val='Hello Function!' ;--
    RETURN out_val;--
    END@

    CREATE OR REPLACE FUNCTION return_Wоrld()
    RETURNS VARCHAR(100)
    LANGUAGE SQL
    CONTAINS SQL
    NO EXTERNAL ACTION
    BEGIN ATOMIC
    DECLARE out_val VARCHAR(100);--
    SET out_val='Привет Function!' ;--
    RETURN out_val;--
    END@

    CALL sayHello('Peter',?)@
    CALL sayНello('Алексей',?)@
    values (current timestamp,return_World())@
    values (current timestamp,return_Wоrld())@

    Executed under Linux (in a shell, where I have UTF-8):

    $ db2 -xtf testFunction.db2
    DB20000I The SQL command completed successfully.

    DB20000I The SQL command completed successfully.

    DB20000I The SQL command completed successfully.

    DB20000I The SQL command completed successfully.


    Value of output parameters
    --------------------------
    Parameter Name : RES
    Parameter Value : Hello Peter!

    Return Status = 0


    Value of output parameters
    --------------------------
    Parameter Name : RES
    Parameter Value : Привет Алексей!

    Return Status = 0

    2021-11-10-04.50.24.415411 Hello Function!

    2021-11-10-04.50.24.422630 Привет Function!

    You might notice the small differences in an ASCII 'H' and the kyrillic 'Н' as well as the 'o' and 'о'.
    So Db2 for LUW 11.5.7 accepts UTF-8 chars and can distinguish between. I haven't tried the Right-to-Left, Left-to-Right thingy he to obfuscate code.

    Cheers
    Roland

    ------------------------------
    Roland Schock
    ARS Computer und Consulting GmbH
    ------------------------------