Bugtraqmailing list archives
IBM DB2 JDBC Applet Server buffer overflow (#NISR05012005D)
From: "NGSSoftware Insight Security Research" <nisr () nextgenss com>
Date: Wed, 5 Jan 2005 17:50:35 -0000
NGSSoftware Insight Security Research AdvisoryName: IBM DB2 JDBC Applet Server buffer overflowSystems Affected: DB2 8.1Severity: High risk from remoteVendor URL:http://www.ibm.com/Author: David Litchfield [ david at ngssoftware.com ]Relates to:http://www.nextgenss.com/advisories/db2-02.txtDate of Public Advisory: 5th January 2005Advisory number: #NISR05012005DAdvisory URL:http://www.ngssoftware.com/advisories/db205012005D.txtDescription***********IBM's DB2 JDBC Applet Server suffers from a stack based buffer overflowvulnerability that can be exploited remotely without a user ID or password.Details*******When a client connects to the JDBC applet server on TCP port 6789 it does sousing a proprietary protocol. The connection packet starts withValidDb2jdTokenFromTheClientSide and includes the username, the password,the db2java.zip version and the database to connect to.The problem arises as follows.Firstly, an attacker attempts to authenticate to the JDBC applet server onTCP 6789 with an overly long username of c. 2200 bytes then disconnectsgracefully.Secondly, they reconnect, but this time send a short username but set thedb2java.zip version to something other than expected by the server. Set theversion to c. 544 unicode bytes \x00\x41.An error is logged and at some stage the null terminator is removed and theoriginal username that was sent is concatentated to the db2java.zip version.This is then copied to a stack based buffer and it overflows.Fix Information***************IBM has written a patch and can be obtained with the latest fixpak.http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html - DB2v8.1http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html - DB2v7.xNGSSQuirreL for DB2 (http://www.nextgenss.com/db2.htm) can be used to assesswhether your DB2 server is vulnerable to this.About NGSSoftware*****************NGSSoftware design, research and develop intelligent, advanced applicationsecurity assessment scanners. Based in the United Kingdom, NGSSoftware haveoffices in the South of London and the East Coast of Scotland. NGSSoftware'ssister company NGSConsulting, offers best of breed security consultingservices, specialising in application, host and network securityassessments.http://www.ngssoftware.com/Telephone +44 208 401 0070Fax +44 208 401 0076enquiries () ngssoftware com
Current thread:
- IBM DB2 JDBC Applet Server buffer overflow (#NISR05012005D)NGSSoftware Insight Security Research (Jan 05)