DB2 for Linux, Unix and Windows is one of the databases where only little bit information about security problems is available. Nevertheless DB2 LUW is installed in many corporate networks and if not hardened properly could be an easy target for attackers. In many aspects DB2 is different from other databases, starting at the user management (normally no user/passwords in the database) to the privilege concept.
With the latest versions, DB2 LUW became more and more similar to Oracle (views, commands, concepts to make more stuff query-able from the database) and allows even to run PLSQL code from Oracle databases. IBM is also cloning the insecure configuration from Oracle by granting a lot of the PLSQL packages to public.
This talk will give a quick introduction into the DB2 architecture, differences to other relational database systems and the most common DB2 configuration problems.
Showing a lit of available exploits and typical pentester questions (how can I run OS commands, how can I access the network or file system) will also be covered.
This talk will also demonstrate SQL injection in stored procedure code inside of the database (SQL/PL and PL/SQL), how to find, exploit and fix it.
The last part covers the hardening of DB2 databases.