O'Reilly logo

The Database Hacker's Handbook: Defending Database Servers by Bill Grindlay, John Heasman, Chris Anley, David Litchfield

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Buffer Overflows in DB2 Procedures and Functions

Procedures and functions in the DB2 world are known as routines and most are written in C. As such, they can be vulnerable to the standard C issues such as buffer overflows and format string vulnerabilities. As it happens they are. During the course of researching DB2 for this book Mark Litchfield and I found a number of buffer overflow vulnerabilities in various procedures and functions. These were reported to IBM and a patch has been made available. The following procedures and functions are known to suffer from buffer overflow vulnerabilities.

REC2XML

XMLClobFromFile

XMLVarcharFromFile

XMLFileFromClob

XMLFileFromVarchar

SatEncrypt

GENERATE_DISTFILE

Of particular interest are the overflows in the XML* functions. The overflow they are vulnerable to is one of the strangest I've ever come across and the peculiarity makes them very easy to exploit. Essentially they all call the same bit of code, that when a certain length is specified for the third parameter the saved return address on the stack is overwritten with a pointer to somewhere in the middle of the buffer! This essentially means that when the vulnerable function returns it does so into the user-supplied data. When it comes to exploiting a normal stack-based overflow, the attacker needs to overwrite the saved return address with an address that points to a bit of code, a “jmp esp” for example, that'll get the processor executing code from the user-supplied buffer. This often ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required