IBM DB2 Remote DoS during CONNECT processing

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: IBM DB2 Remote DoS during CONNECT processing
From: Team SHATTER <shatter@xxxxxxxxxxxxx>
Date: Wed, 13 Dec 2006 14:29:42 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Openpgp: id=64EE14DD
User-agent: Thunderbird 1.5.0.8 (Windows/20061025)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM DB2 Remote DoS during CONNECT processing

AppSecInc Team SHATTER Security Advisory:
http://www.appsecinc.com/resources/alerts/db2/2006-09-05.shtml

Affected versions: All versions of IBM DB2 Database Server

Risk level: Medium

Credits: This vulnerability was discovered and researched by Vivek
Rathod of Application Security Inc.

Details:
When connecting to a remote DB2 instance, the version 7 client typically
sends a SQLJRA packet requesting start of the connection. If this SQLJRA
packet is specially crafted, it can cause a DoS attack by crashing the
DB2 instance. Altering a few bytes at specific offsets in the packet
exposes multiple NULL/invalid pointer dereference bugs in the server code.
For example, on Windows, if 0x00 is used at any of these offsets, the
sqle_db2ra_as_con_database function (from DB2ENGN.DLL) attempts to
access NULL or invalid memory locations, causing an unhandled access
violation (0xC0000005). This causes the DB2 instance to crash.

Impact:
Any remote unauthenticated attacker can crash the DB2 instance.

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the fixpak 13 for DB2 version 8.1 (same as 8.2 FP6)
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html

Links:
Application Security, Inc advisory:
http://www.appsecinc.com/resources/alerts/db2/2006-09-05.shtml
IBM APAR: http://www-1.ibm.com/support/entdocview.wss?uid=swg1IY86917
Secunia Advisory: http://secunia.com/advisories/21550/
CVE Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4257

- --
Application Security, Inc.
www.appsecinc.com
AppSecInc is the leading provider of database security solutions for the
enterprise. AppSecInc products proactively secure enterprise
applications at more than 300 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with customers,
partners and suppliers. Our security experts, combined with our strong
support team, deliver up-to-date application safeguards that minimize
risk and eliminate its impact on business.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgFSm9EOAcmTuFN0RAs0uAKDD2JmnlktSvdZg/UdVtBZMcN8aMwCfR7AJ
toZoy4X4AWp5t8Ut7vvkj8U=
=tvlM
-----END PGP SIGNATURE-----

Attachment: 0x64EE14DD.asc
Description: application/pgp-keys

Prev by Date: ASP Cmd Shell On IIS 5.1
Next by Date: ZDI-06-050: Symantec Veritas NetBackup CONNECT_OPTIONS Buffer Overflow Vulnerability
Previous by thread: ASP Cmd Shell On IIS 5.1
Next by thread: ZDI-06-050: Symantec Veritas NetBackup CONNECT_OPTIONS Buffer Overflow Vulnerability
Index(es):
- Date
- Thread