IBM DB2 - Universal Database Information Disclosure

EDB-ID:

24678




Platform:

Windows

Date:

2004-09-01


source: https://www.securityfocus.com/bid/11402/info

An information disclosure vulnerability has been reported in IBM DB2. This vulnerability only exists when DB2 is installed on Microsoft Windows operating systems. This is due to a Windows permissions issue related to shared memory sections, culminating in authorized access to sensitive information.

This vulnerability allows local users to inappropriately connect to DB2 IPC resources, and to also read files that may contain potentially sensitive information. This may aid them in further attacks.

- Database usernames and passwords may be read from the 'DB2SHMSECURITYSERVICE' memory section.

- Various shared memory sections may be read allowing unauthorized access to query or query result data. The following examples were provided:

section read DB20QM 
section read DB2GLBQ0QM 
section read DB2SHMDB2_0APP 
section read DB2SHMDB2_0APL00000003 
section read DB2SHMDB2_0APL00000004 
section read DB2SHMDB2_0APL00000005