IBM DB2 XML Query Buffer Overflow

September 19, 2008

A remotely exploitable vulnerability has been reported in the IBM DB2 Database product. The DB2 product consists of a set of separate services that provide data processing functions. The main database engine process is contained in the binary executable db2syscs.exe on Windows based installations.

The DB2 database has unique facilities to store and manage data in XML format. Quering and manipulation of XML data objects is performed with the help of the XQuery query language. DB2 supports a set of functions that can resolve XQuery expressions to facilitate XML data management.

One of such XQuery functions is XMLQUERY. Given an XQuery expression as its argument, this function returns an XML value from the database. The syntax of XMLQUERY is described as follows:

XMLQUERY(xquery-expression-constant [PASSING xquery-argument AS identifier] )

Where xquery-expression-constant is an SQL character string that is interpreted as an XQuery expression. A practical use example of the function is shown:

SELECT XMLQuery(’$PORDER/PurchaseOrder/item/name’) FROM purchaseorder

A stack buffer overflow vulnerability exists during the processing of the XMLQUERY function. The vulnerability is a result of insufficient boundary checks on the xquery-expression-constant string passed to the affected function. The vulnerable code does not properly validate the length of this parameter before making an internal copy of it to a limited buffer on the stack. This has been shown to result in overwriting of critical memory locations in cases where the string argument is overly long.

A remote authenticated attacker with limited privileges could exploit this vulnerability by passing a specially crafted argument to the XMLQUERY function in a SQL statement. Successful exploitation of this flaw may allow the attacker to inject and execute arbitrary code in the context of the affected service, normally the Administrative account.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature released to address this vulnerability is:

  • 5244 IBM DB2 Universal Database XMLQuery BO Attempt