2-Apr-2009: IBM DB2

IBM DB2 Version 9.5 Fix Pack 3a came out, fixing also two DoS vulnerabilities I found.

1. "IZ37697: SECURITY: MALICIOUS CONNECT DATA STREAM CAN CAUSE DENIAL OF SERVICE."

First is pre-auth DoS vulnerability. Here is exploit: it require "DB2TEST" database present on target database, because its name is hardcoded into packet.

Download: DB2_PoC_1.py

2. IZ39653: SECURITY: MALICOUS DATA STREAM CAN CAUSE THE DB2 SERVER TO TRAP.

The second DoS vulnerability, it is require also "DB2TEST" database present on target database and require "GUEST" account present with "QQ" password. All this stuff is hardcoded too.

Download: DB2_PoC_2.py


This open sourced site and this page in particular is hosted on GitHub. Patches, suggestions and comments are welcome.


→ [list of blog posts, my twitter/facebook]

The page last updated on 16-September-2016