[Full-Disclosure] R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service

Date: 11/20/03

  • Next message: martin f krafft: "Re: [Full-Disclosure] Re: Remote root exploit for mod_gzip (with debug_mode)"
    To: full-disclosure@lists.netsys.com
    Date: Thu, 20 Nov 2003 12:15:31 -0800

    Hash: SHA1

                         Rapid7, Inc. Security Advisory
           Visit http://www.rapid7.com/ to download NeXpose,
            the world's most advanced vulnerability scanner.
          Linux and Windows 2000/XP versions are available now!

    Rapid7 Advisory R7-0016
    Sybase ASE 12.5 Remote Password Array Denial of Service

       Published: November 20, 2003
       Revision: 1.0

       CVE: CAN-2003-0327

    1. Affected system(s):

        o Sybase 12.5 ASE for Windows
        o Sybase 12.5 ASE for Linux

       Apparently NOT VULNERABLE:
        o Sybase for Linux

    2. Summary

       Sybase Adaptive Server Enterprise (ASE) 12.5 is susceptible to a
       denial of service attack when a login is made with an invalid
       remote password array. A valid login is required to exploit
       this vulnerability.

    3. Vendor status and information


       The vendor has been notified and has released an ESD
       (Electronic Software Distribution) which fixes this issue.

    4. Solution

       Upgrade to Sybase ASE 12.5 ESD#2 or higher.

    5. Detailed analysis

       Connecting to Sybase Adaptive Server Enterprise (ASE) 12.5 with
       a valid login (correct user ID and password) and an invalid remote
       password array causes an access violation on the server, resulting
       in a denial of service in the child thread or process. On
       Windows, which spawns threads for each client, the server will
       stop responding to all commands, including new login requests.
       On systems such as Linux, which spawns new child processes for each
       client, other clients do not appear to be affected. However, an
       attacker could cause an effective DoS on new clients by rapidly
       exploiting new child processes as they are launched, denying other
       clients the ability to log in.

       The remote password array is included in the TDS LOGINREC structure
       and is of the format:

         byte first server name length
         byte[ ] first server name
         byte first password length
         byte[ ] first password
         byte next server name length
         byte total length of remote password array

       By specifying invalid lengths, a heap overflow can be triggered.
       We believe the possibility of arbitrary remote code execution is
       unlikely in this case, but the possibility has not been ruled out.

    6. Contact Information

       Rapid7 Security Advisories
       Email: advisory@rapid7.com
       Web: http://www.rapid7.com/
       Phone: +1 (212) 558-8700

    7. Disclaimer and Copyright

       Rapid7, Inc. is not responsible for the misuse of the information
       provided in our security advisories. These advisories are a service
       to the professional security community. There are NO WARRANTIES
       with regard to this information. Any application or distribution of
       this information constitutes acceptance AS IS, at the user's own
       risk. This information is subject to change without notice.

       This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
       hereby granted to redistribute this advisory, providing that no
       changes are made and that the copyright notices and disclaimers
       remain intact.

    Version: PGP 8.0.3

    -----END PGP SIGNATURE-----

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: martin f krafft: "Re: [Full-Disclosure] Re: Remote root exploit for mod_gzip (with debug_mode)"

    Relevant Pages