Pentest Security Advisory : PTL-2003-02
IBM DB2 INVOKE Command Stack Overflow Vulnerability
Author: Matt Moore
Announcement date: 1st October 2003
Advisory Reference: ptl-2003-02
Title: IBM DB2 INVOKE Command Stack Overflow Vulnerabilities
CVE Name: CAN-2003-0837
Bugtraq ID: 8743
Product: IBM DB2 Universal Database
Vulnerability Type : Buffer Overflow
Vendor-Status: Fixpack Issued
Remotely Exploitable: Yes
Locally Exploitable: Yes
Advisory URL: http://www.pentest.co.uk/
DB2 is IBM's relational database software. The IBM DB2 INVOKE command invokes a procedure stored at the location of a database. It is also known as the Database Application Remote Interface (DARI). The server procedure executes at the location of the database, and returns data to the client application.
This command is vulnerable to a stack based overflow that allows an attacker with "Connect" privileges to the database to execute arbitrary code on the vulnerable machine in the context of the Administrators group on Windows NT.
The vulnerability is triggered by issuing a carefully crafted INVOKE command.
IBM DB2 Universal Data Base v7.2 for Windows is vulnerable.
The vendor stated that 'the problem was limited to Windows specific code in v7 that was replaced in v8. So, the vulnerability does not affect any of the UNIX or Linux versions, nor does it affect version 8.'
- Pentest Notification: 20-11-2002
- Notification acknowledged by IBM: 22-11-2002
- Fixes available from: 17-09-2003
Issue is fixed in Fixpak 10a for DB2 v7.2.
Fixpaks are available at:
This vulnerability was discovered by Matt Moore from Pentest Limited.
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.