Hacking and Securing DB2 LUW Databases

Presented at DEF CON 19 (2011), Aug. 6, 2011, 10 a.m. (50 minutes)

DB2 for Linux, Unix and Windows is one of the databases where only little bit information about security problems is available. Nevertheless DB2 LUW is installed in many corporate networks and if not hardened properly could be an easy target for attackers. In many aspects DB2 is different from other databases, starting at the user management (normally no user/passwords in the database) to the privilege concept. With the latest versions, DB2 LUW became more and more similar to Oracle (views, commands, concepts to make more stuff query-able from the database) and allows even to run PLSQL code from Oracle databases. IBM is also cloning the insecure configuration from Oracle by granting a lot of the PLSQL packages to public. This talk will give a quick introduction into the DB2 architecture, differences to other relational database systems and the most common DB2 configuration problems. Showing a lit of available exploits and typical pentester questions (how can I run OS commands, how can I access the network or file system) will also be covered. This talk will also demonstrate SQL injection in stored procedure code inside of the database (SQL/PL and PL/SQL), how to find, exploit and fix it. The last part covers the hardening of DB2 databases.

Presenters:

• Alexander Kornbrust - CEO of Red-Database-Security GmbH
  Alexander Kornbrust is the founder of Red-Database-Security a company specialized in database security. He provides database security audits, security training and consulting to customers worldwide. Alexander audited 3000 Oracle, DB2 and MSSQL instances over the last years. Alexander is also the co-author of the book "SQL Injection Attacks and Defense ". Alexander has worked since 1992 with Oracle and his specialties are the security of databases and secure software architectures. In the last 7 years Alexander has reported more than 1200 security bugs to Oracle and gave various presentations on security conferences like Black Hat, Defcon, Bluehat, HITB,... Twitter: @kornbrust

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Kornbrust
• https://infocon.org/cons/DEF CON/DEF CON 19/DEF CON 19 video and slides/DEF CON 19 - Alexander Kornbrust - Hacking and Securing DB2 LUW Databases - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=ARD2dJhywHM

Similar Presentations:

• DerbyCon 2.0 Reunion (2012) / Think differently about database hacking
• Black Hat USA 2010 / Hacking Oracle From Web Apps
• AppSec USA 2017 / NoSQL Is Not NoVulnerable