Title: IBM DB2 Universal Database REC2XML and GENERATE_DISTFILE Buffer Overflow Vulnerabilities
Severity: CRITICAL
Description:
IBM DB2 Universal Database is reported prone to multiple remote buffer overflow vulnerabilities. These issues arise because the application does not perform proper boundary checks before copying user-supplied data in to process buffers. An attacker may exploit these issues to execute arbitrary code on a vulnerable computer.
The following specific issues were identified:
The first issue exists in the 'rec2xml' function. This function is used to format a string in XML. It is reported that an attacker can trigger the overflow condition by supplying a large string value to the third parameter of this function. This results in the function copying the attacker-supplied value to sensitive process buffers triggering an overflow condition.
The second issue affects the 'generate_distfile' procedure, which is implemented as a C function. This function is imported from 'db2dbappext.dll'. It is reported that the function accepts a user-supplied file name as its third parameter. This parameter is restricted to 255 bytes.
This issue can be triggered by supplying a file name of 255 characters. Reportedly, a sub function of 'generate_distfile' appends the file name to the directory where DB2 is installed by calling 'sqloInstancePath()'. This function retrieves the installation path and the sub function then creates a 264 byte stack buffer. The 'sqloInstancePath()' function typically returns C:\PROGRA~1\IBM\SQLLIB\DB2. The procedure then appends '\tmp\' to this path followed by appending the user-supplied file name. Since the attacker-supplied file name is 255 characters, this leads to overflowing the 264 byte buffer specified by the sub function of 'generate_distfile'.
An attacker may exploit these issues by supplying a large string value to the application. This payload may contain replacement memory addresses and shellcode designed to redirect process execution. If successful, these issues may result in a denial of service condition or allow for arbitrary code execution. As a result the attacker may gain unauthorized access to a vulnerable computer.
These issues were originally reported as unspecified vulnerabilities. Due to the availability of new information, this BID is being updated. Individuals BID will be created in the near future.
Affected Products:
- IBM DB2 Universal Database for AIX 7.0.0
- IBM DB2 Universal Database for AIX 7.1.0
- IBM DB2 Universal Database for AIX 7.2.0
- IBM DB2 Universal Database for AIX 8.1.0
- IBM DB2 Universal Database for HP-UX 7.0.0
- IBM DB2 Universal Database for HP-UX 7.1.0
- IBM DB2 Universal Database for HP-UX 7.2.0
- IBM DB2 Universal Database for HP-UX 8.1.0
- IBM DB2 Universal Database for Linux 7.0.0
- IBM DB2 Universal Database for Linux 7.1.0
- IBM DB2 Universal Database for Linux 7.2.0
- IBM DB2 Universal Database for Linux 8.1.0
- IBM DB2 Universal Database for Solaris 7.0.0
- IBM DB2 Universal Database for Solaris 7.1.0
- IBM DB2 Universal Database for Solaris 7.2.0
- IBM DB2 Universal Database for Solaris 8.1.0
- IBM DB2 Universal Database for Windows 7.1.0
- IBM DB2 Universal Database for Windows 7.2.0
- IBM DB2 Universal Database for Windows 8.1.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
