Litchfield’s DB2 Worm^H^H^H^H

Thomas Ptacek | January 5th, 2005 | Filed Under: Uncategorized

NGSec just announced a major hole in DB2.

We’ll assume, probably conservatively, that DB2 with JDBC is used at a frequency comparable to Microsoft SQL (irony: didn’t Litchfield find the original SQL-Slammer hole?).

So it looks like we’ve got something that meets many of the tests for “probable worm”, including:

• Triggered remotely
• Provides remote code execution
• Doesn’t require a login
• Attacks a largely homogenous platform.

Says Jose:

Sure, but who uses it? ie MSDE [embedded MS-SQL] was everywhere as a shared component i think it may be more than MS-SQL but less so than MSDE

How do we get data on the number of Slammer infections to database services versus latent MSDE installations?