<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2>
<P class=MsoTitle style="MARGIN: 12pt 0in 3pt"><SPAN
style="mso-field-code: ' TITLE \* MERGEFORMAT '"><STRONG><FONT size=5>DB2 UDB
- Handshake Protocol DoS Attack (BID 19586)</FONT></STRONG></SPAN></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Background</FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman"><?xml:namespace prefix = st1 ns =
"urn:schemas-microsoft-com:office:smarttags"
/><st1:PersonName>DB</st1:PersonName>2 Universal Database
(U<st1:PersonName>DB</st1:PersonName>)™ is a popular database software package
from IBM available for legacy platforms as well as open systems (Unix and
Windows). Clients use a protocol called DRDA to communicate
w<st1:PersonName>it</st1:PersonName>h the <st1:PersonName>DB</st1:PersonName>2
U<st1:PersonName>DB</st1:PersonName> server. Protocol messages are used for
session setup, authentication and data transfer.<?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></FONT></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Scope</FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman">Imperva’s
<st1:place><st1:PlaceName>Application</st1:PlaceName>
<st1:PlaceName>Defense</st1:PlaceName>
<st1:PlaceType>Center</st1:PlaceType></st1:place> is conducting an extensive
research of the DRDA protocol and <st1:PersonName>it</st1:PersonName>s
implementation. As part of the research the team has identified
vulnerabil<st1:PersonName>it</st1:PersonName>y in
<st1:PersonName>DB</st1:PersonName>2 U<st1:PersonName>DB</st1:PersonName>’s
connection establishment mechanism that allows an attacker to terminate the
U<st1:PersonName>DB</st1:PersonName> service, effectively denying service from
all database users.<o:p></o:p></FONT></FONT></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Findings</FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman">An attacker can send a specially crafted ACCSEC command
during the handshake process with the server, causing the server process to
crash.<o:p></o:p></FONT></FONT></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Details</FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT face="Times New Roman"
size=3>A simple connection establishment process to the
<st1:PersonName>DB</st1:PersonName>2 U<st1:PersonName>DB</st1:PersonName> server
w<st1:PersonName>it</st1:PersonName>h a user-password authentication consists of
several commands: EXCSAT (Exchange Server Attributes), ACCSEC (Access
Secur<st1:PersonName>it</st1:PersonName>y), SECCHK
(Secur<st1:PersonName>it</st1:PersonName>y Check) and
ACCR<st1:PersonName>DB</st1:PersonName> (Access
R<st1:PersonName>DB</st1:PersonName>). The
R<st1:PersonName>DB</st1:PersonName>NAM parameter, which appears in some of
them, specifies the name of the R<st1:PersonName>DB</st1:PersonName> that the
command accesses (according to the documentation, if this parameter is
specified, <st1:PersonName>it</st1:PersonName>s value must be the same as the
value specified on the ACCR<st1:PersonName>DB</st1:PersonName> command for
R<st1:PersonName>DB</st1:PersonName>NAM). ACCSEC usually appears twice during
the handshake process.</FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman">It turns out that if the
R<st1:PersonName>DB</st1:PersonName>NAM parameter is omitted from the first
ACCSEC command, the DB2 U<st1:PersonName>DB</st1:PersonName> server becomes
unstable, while the establishment of the connection may continue successfully.
Once the connection is established, a simple command (such as </FONT><SPAN
style="FONT-FAMILY: 'Courier New'">SELECT</SPAN><FONT face="Times New Roman">)
sent through the connection causes the service to terminate
unexpectedly.<o:p></o:p></FONT></FONT></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT
size=5>Explo<st1:PersonName>it</st1:PersonName></FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman">Send a connection establishment request to the
<st1:PersonName>DB</st1:PersonName>2 U<st1:PersonName>DB</st1:PersonName>
server, where the R<st1:PersonName>DB</st1:PersonName>NAM parameter is
om<st1:PersonName>it</st1:PersonName>ted from the first ACCSEC command. After
the connection is established, send a simple query (e.g.: SELECT</FONT><SPAN
style="FONT-FAMILY: 'Courier New'"> * FROM dummy</SPAN><FONT
face="Times New Roman">).</FONT></FONT></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Tested Versions</FONT></H1>
<H2 style="MARGIN: 12pt 0in 3pt"><EM>Vulnerable</EM></H2>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman"><st1:PersonName>DB</st1:PersonName>2
U<st1:PersonName>DB</st1:PersonName> version 8.x all
platforms.<o:p></o:p></FONT></FONT></P>
<H2 style="MARGIN: 12pt 0in 3pt"><EM>Not Vulnerable</EM></H2>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Vendor’s Status</FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman"><st1:date Year="2006" Day="11" Month="1">January
11<SUP>th</SUP> 2006</st1:date> – Vendor Notified</FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman"><st1:date Year="2006" Day="14" Month="8">August
14<SUP>th</SUP> 2006</st1:date> – Patched in UDB 8.1 FixPak 13,<SPAN
style="mso-spacerun: yes"> </SPAN>APAR is IY87211</FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman"><st1:date Year="2006" Day="18" Month="8">August
18<SUP>th</SUP> 2006</st1:date> – Reported by vendor to Bugtraq and labeled as
<st1:stockticker>BID</st1:stockticker> 19586<o:p></o:p></FONT></FONT></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Workaround</FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT face="Times New Roman"
size=3>None.</FONT></P>
<H1 style="MARGIN: 12pt 0in 3pt"><FONT size=5>Credit</FONT></H1>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><FONT size=3><FONT
face="Times New Roman">Discovered by Tal Ryterski from Imperva
Inc.<o:p></o:p></FONT></FONT></P></FONT></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left>
<TABLE cellSpacing=0 cellPadding=0 align=left border=0>
<TBODY>
<TR>
<TD noWrap colSpan=3><FONT face=Verdana color=#2f506d size=2>
<P
style="FONT-SIZE: 11px; COLOR: #2f506d; FONT-FAMILY: Verdana, sans-serif"
align=left><STRONG>Amichai
Shulman</STRONG><BR>CTO<BR><BR></P></FONT></TD></TR>
<TR>
<TD vAlign=top noWrap><FONT face=Verdana color=#2f506d size=2>
<P
style="FONT-SIZE: 11px; COLOR: #2f506d; FONT-FAMILY: Verdana, sans-serif"><A
href="http://www.imperva.com/"><IMG style="MARGIN-BOTTOM: 3px" height=24
alt="Imperva, Inc." src="cid:099253714@06092006-28EC" width=112
border=0></A><BR>12 Hachilazon St.<BR>Ramat Gan<BR>Israel</P>
<P
style="FONT-SIZE: 11px; COLOR: #2f506d; FONT-FAMILY: Verdana, sans-serif">(972)
3-6120133 x103 Office<BR>(972) 54-5885083 Mobile<BR>(972) 3-5711133
Fax<BR><A
href="mailto:shulman@imperva.com">shulman@imperva.com</A></P></FONT></TD>
<TD vAlign=top width=1><IMG height=112
alt=................................ src="cid:099253714@06092006-28F3"
width=41 border=0></TD>
<TD vAlign=top noWrap align=middle><FONT face=Verdana color=#333333
size=2>
<P
style="FONT-SIZE: 11px; COLOR: #333; FONT-FAMILY: Verdana, sans-serif"><A
href="http://imperva.com/go/nc/"><IMG height=40 alt=""
src="cid:099253714@06092006-28FA" width=140 border=0></A>
<BR><BR><STRONG>SecureSphere</STRONG><BR>Named <BR>Editor's Choice
for<BR><SPAN style="COLOR: #d7182a"><STRONG>Web Application
Firewall</STRONG></SPAN><BR><A href="http://imperva.com/go/nc/"><SPAN
style="FONT-SIZE: 10px; COLOR: blue; LINE-HEIGHT: 20px; FONT-FAMILY: Verdana, sans-serif">http://imperva.com/go/nc/</SPAN></A></P></FONT></TD></TR></TBODY></TABLE></DIV>
<DIV> </DIV></BODY></HTML>