Remote DoS during CONNECT processing

Posted September 1, 2006 by egonzales in Database Security, Database Vendor, IBM DB2, IBM DB2, Security Advisory, Topics with 0 comments

Remote DoS during CONNECT processing

Sept 1, 2006

Risk Level: Medium

Affected versions:
All versions of IBM DB2 Database Server

Credits:
This vulnerability was discovered and researched by Vivek Rathod of Application Security, Inc.

Details:
When connecting to a remote DB2 instance, the version 7 client typically sends a SQLJRA packet requesting start of the connection. If this SQLJRA packet is specially crafted, it can cause a DoS attack by crashing the DB2 instance. Altering a few bytes at specific offsets in the packet exposes multiple NULL/invalid pointer dereference bugs in the server code.

For example, on Windows, if 0×00 is used at any of these offsets, the sqle_db2ra_as_con_database function (from DB2ENGN.DLL) attempts to access NULL or invalid memory locations, causing an unhandled access violation (0xC0000005). This causes the DB2 instance to crash.

Impact:
Any remote unauthenticated attacker can crash the DB2 instance.

Vendor Status:
Vendor was contacted and a patch was released.

To fix the problem apply the fixpak 13 for DB2 version 8.1 (same as 8.2 FP6)
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html

Links:
IBM APAR: http://www-1.ibm.com/support/entdocview.wss?uid=swg1IY86917
Secunia Advisory: http://secunia.com/advisories/21550/
CVE Reference: http://secunia.com/cve_reference/CVE-2006-4257/

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by