IBM DB2 XML Query Buffer Overflow (Sep 19, 2008)


A remotely exploitable vulnerability has been reported in the IBM DB2 Database product. The DB2 product consists of a set of separate services that provide data processing functions. The main database engine process is contained in the binary executable db2syscs.exe on Windows based installations.

The DB2 database has unique facilities to store and manage data in XML format. Quering and manipulation of XML data objects is performed with the help of the XQuery query language. DB2 supports a set of functions that can resolve XQuery expressions to facilitate XML data management.

One of such XQuery functions is XMLQUERY. Given an XQuery expression as its argument, this function returns an XML value from the database. The syntax of XMLQUERY is described as follows:

XMLQUERY(xquery-expression-constant [PASSING xquery-argument AS identifier] )

Where xquery-expression-constant is an SQL character string that is interpreted as an XQuery expression. A practical use example of the function is shown:

SELECT XMLQuery(’$PORDER/PurchaseOrder/item/name’) FROM purchaseorder

A stack buffer overflow vulnerability exists during the processing of the XMLQUERY function. The vulnerability is a result of insufficient boundary checks on the xquery-expression-constant string passed to the affected function. The vulnerable code does not properly validate the length of this parameter before making an internal copy of it to a limited buffer on the stack. This has been shown to result in overwriting of critical memory locations in cases where the string argument is overly long.

A remote authenticated attacker with limited privileges could exploit this vulnerability by passing a specially crafted argument to the XMLQUERY function in a SQL statement. Successful exploitation of this flaw may allow the attacker to inject and execute arbitrary code in the context of the affected service, normally the Administrative account.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature released to address this vulnerability is:

  • 5244 IBM DB2 Universal Database XMLQuery BO Attempt
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.