CVE-2004-2489
Description
A format string vulnerability in IBM Informix IDS before 9.40.xC3 allows local users to execute arbitrary code via a crafted INFORMIXDIR environment variable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A format string vulnerability in IBM Informix IDS before 9.40.xC3 allows local users to execute arbitrary code via a crafted INFORMIXDIR environment variable.
Vulnerability
A format string vulnerability exists in IBM Informix Dynamic Server (IDS) versions before 9.40.xC3. The flaw occurs when the server processes the INFORMIXDIR environment variable. If a local user sets INFORMIXDIR to point to a directory containing a file whose filename includes format string specifiers (e.g., %s, %n), the server interprets these specifiers during error message construction or logging, leading to arbitrary code execution. Affected versions include 9.40.xC1 and 9.40.xC2 (tested on 9.40.UC1) [2].
Exploitation
An attacker must have local access to the system and the ability to set the INFORMIXDIR environment variable. The attacker creates a file with a name containing format string specifiers in a directory they control, then sets INFORMIXDIR to that directory. When Informix IDS processes the environment variable (e.g., during startup or when accessing configuration files), the format string is evaluated, potentially allowing the attacker to overwrite memory and execute arbitrary code. No authentication beyond local shell access is required [2].
Impact
Successful exploitation allows a local attacker to execute arbitrary code with the privileges of the Informix IDS process, which typically runs as a privileged user (e.g., informix). This can lead to full compromise of the database server and potentially the host system, including data theft, modification, or denial of service [2].
Mitigation
IBM released a fix in version 9.40.xC3. Users should upgrade to 9.40.xC3 or later. If upgrading is not immediately possible, restrict local access to trusted users only and monitor the INFORMIXDIR environment variable. No other workarounds are documented in the available references [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc2:*:*:*:*:*:*:*
- (no CPE)range: <9.40.xC3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Format string vulnerability in error-message printing: the INFORMIXDIR environment variable controls the path from which message files are loaded, and those message files are passed directly to printf() without a format string, allowing an attacker to inject format specifiers."
Attack vector
A local attacker sets the INFORMIXDIR environment variable to point to a directory tree they control, then creates a copy of the Informix message file (e.g., olutil.iem) with format string specifiers (such as %n) embedded in the message text [ref_id=1]. When a setuid-root or setgid-informix binary (e.g., oncheck, ontape, onparams) is executed, it reads the tampered message file and passes its contents to printf(), causing the format string to be evaluated [ref_id=1]. This allows the attacker to overwrite arbitrary memory and escalate privileges to the informix group or root, depending on which binary is exploited [ref_id=1].
Affected code
The vulnerability affects multiple setuid-root and setgid-informix binaries in IBM Informix IDS 9.40.xC[12], including oninit, onmode, ontape, onparams, oncheck, onmonitor, and others [ref_id=1]. The format string is triggered in the printf() call at address 0x0804b946 in main() of oncheck, and the message file path is constructed via gl_path_search1() [ref_id=1].
What the fix does
The advisory states that IBM addressed the issue in fix pack releases IDS 9.40.UC3, 9.30.UC7, and 7.31.UD7 [ref_id=1]. No patch diff is available in the bundle, but the remediation involves updating to these patched versions, which presumably sanitize format strings in error messages or prevent untrusted message file paths from being used by setuid binaries [ref_id=1].
Preconditions
- authAttacker must have local shell access to the system
- inputAttacker must be able to create directories and files under a path they control (e.g., /tmp)
- inputThe INFORMIXDIR environment variable must be settable by the attacker before executing a vulnerable setuid/setgid Informix binary
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- secunia.com/advisories/10737nvdPatchVendor Advisory
- www.osvdb.org/3757nvdPatch
- www.securityfocus.com/bid/9511nvdPatch
- www-1.ibm.com/support/docview.wssnvdVendor Advisory
- marc.infonvd
- exchange.xforce.ibmcloud.com/vulnerabilities/14967nvd
News mentions
0No linked articles in our index yet.