IBM DB2 Universal Database Administration Server Memory Corruption Vulnerability
9 Feb. 2008
IBM Corp.'s DB2 Universal Database product is "a large database server product commonly used for high end databases. The DB2 Administration Server (DAS) provides functionality that implements the Java-based DB2 Control Center GUI". Remote exploitation of a memory corruption vulnerability within version 9.1 of IBM Corp.'s DB2 Universal Database Administration Server (DAS) allows attackers to crash the service or potentially execute arbitrary code in the context of the affected service.
* DAS (db2dassrm) as included with DB2 9.1 with Fix Pack 2 for both Linux and Windows platforms
When handling certain remote administration requests, the Administration Server uses a 32-bit pointer value supplied by the remote client. By supplying carefully chosen address values, an attacker can cause memory corruption or force the program to access invalid memory locations.
Exploitation allows attackers to crash the service or execute arbitrary code within the context of the affected service. No authentication credentials are required. The attacker only needs the ability to establish a TCP session with the DAS on TCP port 523.
By default this service runs as "dasusr1" on Linux and "db2admin" on Windows. In the Linux version of the DAS, the process is monitored by a fault monitoring process and will restart automatically after a few seconds. This monitoring process does not exist in the Windows version.
Employing firewalls to limit access to the affected service will mitigate exposure to this vulnerability.
06/18/2007 - Initial vendor notification
06/20/2007 - Initial vendor response
08/14/2007 - V8 Fix Pack 15 made available
08/15/2007 - V9 Fix Pack 3 made available
10/10/2007 - V9 Fix Pack 3a made available
11/13/2007 - V9 Fix Pack 4 made available
01/28/2008 - V8 Fix Pack 16 made available
02/05/2008 - V8 Fix Pack 16 fix list made available
02/07/2008 - Public disclosure