Remote DoS during CONNECT processing
Sept 1, 2006
Risk Level: Medium
All versions of IBM DB2 Database Server
This vulnerability was discovered and researched by Vivek Rathod of Application Security, Inc.
When connecting to a remote DB2 instance, the version 7 client typically sends a SQLJRA packet requesting start of the connection. If this SQLJRA packet is specially crafted, it can cause a DoS attack by crashing the DB2 instance. Altering a few bytes at specific offsets in the packet exposes multiple NULL/invalid pointer dereference bugs in the server code.
For example, on Windows, if 0×00 is used at any of these offsets, the sqle_db2ra_as_con_database function (from DB2ENGN.DLL) attempts to access NULL or invalid memory locations, causing an unhandled access violation (0xC0000005). This causes the DB2 instance to crash.
Any remote unauthenticated attacker can crash the DB2 instance.
Vendor was contacted and a patch was released.
To fix the problem apply the fixpak 13 for DB2 version 8.1 (same as 8.2 FP6)
IBM APAR: http://www-1.ibm.com/support/entdocview.wss?uid=swg1IY86917
Secunia Advisory: http://secunia.com/advisories/21550/
CVE Reference: http://secunia.com/cve_reference/CVE-2006-4257/