SecuriTeam - IBM DB2 Remote DoS during CONNECT processing

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

When connecting to a remote DB2 instance, the version 7 client typically sends a SQLJRA packet requesting start of the connection. If this SQLJRA packet is specially crafted, it can cause a DoS attack by crashing the DB2 instance. Altering a few bytes at specific offsets in the packet exposes multiple NULL/invalid pointer dereference bugs in the server code. For example, on Windows, if 0x00 is used at any of these offsets, the sqle_db2ra_as_con_database function (from DB2ENGN.DLL) attempts to access NULL or invalid memory locations, causing an unhandled access violation (0xC0000005). This causes the DB2 instance to crash.

Credit:
The information has been provided by Team SHATTER.
The original article can be found at: http://www.appsecinc.com/resources/alerts/db2/2006-09-05.shtml

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* All versions of IBM DB2 Database Server

A malicious CONNECT data stream sent to a DB2 server from V7 client may cause instance crash, resulting in a denial of service. Server crashes with the following stack trace back:
-------Frame------ ------Function + Offset------
0x2022DF24
sqle_db2ra_as_con_database__FP17sqle_db2ra_commonP10sqle_db2raP1
0sqler_glob + 0x268 0x2022D7CC
sqle_db2ra_as_con_driver__FP17sqle_db2ra_commonP10sqle_db2raP10s
qler_glob + 0x2A4 0xDA3AF114 sqledDb2raServerDriver + 0x129C
0xDB3FF900 sqljsDriveRequests__FP13sqle_agent_cbP11UCconHandle +
0x134 0xDB3FC480 sqljsDrdaAsInnerDriver__FP17sqlcc_init_structb
+ 0x2B4 0xDB3FBF60 sqljsDrdaAsDriver__FP17sqlcc_init_struct +
0x10C 0x200464EC sqleRunAgent__FPcUl + 0x578 0xD9598398
sqloCreateEDU__FPFPcUl_vPcUlP13SQLO_EDU_INFOPl + 0x304
0xD9597EF8 sqloSpawnEDU + 0x4CC

Fix:
To fix the problem apply the fixpak 13 for DB2 version 8.1 (same as 8.2 FP6) http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html

CVE Information:
CVE-2006-4257

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities