IBM solidDB 6.5.0.3 - Denial of Service





Platform:

Multiple

Date:

2010-10-15


Source: http://aluigi.org/adv/soliddb_1-adv.txt
#######################################################################

                             Luigi Auriemma

Application:  IBM solidDB
              http://www-01.ibm.com/software/data/soliddb/
Versions:     <= 6.5.0.3
Platforms:    AIX, Linux, Solaris, Windows
Bug:          Denial of Service
Exploitation: remote, versus server
Date:         15 Oct 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"IBM solidDB product family features relational, in-memory database
technology that delivers extreme speed, performing up to ten times
faster than conventional, disk-based databases."


#######################################################################

======
2) Bug
======


The solid.exe service listening on port 1315 can be crashed by an
external attacker through a malformed type of packet.
The bugged function is located at address 0063dc60 which is called
recursively if the packet contains a particular value between the range
of values 15001 and 15100 (switch 9).
The effects of the problem can be:
- stack exaustion by using over 14000 of these values so that all the
  memory of the stack gets consumed by these recursive callings
- NULL pointer due to the usage of only one of these values where an
  unused pointer (set to zero) is used in a comparison operation
- invalid memory access by using also another type of value after those


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/soliddb_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15261.zip

#######################################################################

======
4) Fix
======


No fix.


#######################################################################