Clarifications on Sybase Alerts

From: Aaron C. Newman (Application Security, Inc.) (anewman@APPSECINC.COM)
Date: 12/04/02

  • Next message: Russ: "Alert: Microsoft Security Bulletin - MS02-068" 
    Date:         Tue, 3 Dec 2002 19:47:30 -0500
From: "Aaron C. Newman (Application Security, Inc.)" <anewman@APPSECINC.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    We have received a lot of feedback on the 3 Sybase alerts sent out on
    November 11 by Application Security, Inc. Being that the Sybase
    community has not experienced many security vulnerabilities, there is
    some confusion on what is exploitable and what is not. We are hoping
    this clears up any confusion.

    ASI Sybase Security Alert: Buffer overflow in xp_freedll

    Despite the fact that the overflow is in a procedure with "dll" in the
    name, this is in fact exploitable on UNIX as well as on Windows for all
    versions of 12.0 and 12.5. On UNIX it is used to free shared objects.

    ASI Sybase Security Alert: Buffer overflow in DROP DATABASE

    These exploits can be run by anyone that can connect to the server, not
    just database owners or system administrators. The command DROP DATABASE
    is meant to only be run by privileged users, however if a non-privileged
    user runs one of these commands, the buffer overflow occurs before any
    access control takes place. Therefore a non-privileged user can use this
    security hole to take complete control of a Sybase server.

    Also, on Sybase 12.5 you can declare VARCHAR data types as large as
    16384. On Sybase 12.0, VARCHARs as limited to a max length of 255
    characters. Therefore the code example from the advisory with will not
    run on Sybase 12.0. For Sybase 12.0 on Solaris, a FATAL error is
    generated when executing the statement as a non-privileged user with a
    255 character VARCHAR, however based on our research it appears that it
    is not exploitable on Sybase 12.0. It is however exploitable on Sybase
    12.5 on most platforms.

    ASI Sybase Security Alert: Buffer overflow in DBCC CHECKVERIFY

    Same as above, this command is meant to only be run by privileged users,
    however if a non-privileged user runs one of these commands, the buffer
    overflow occurs before any access control takes place. Therefore a
    non-privileged user can use this security hole to take complete control
    of a Sybase server.

    Again, Sybase 12.0 VARCHARs as limited to 255 characters. Therefore the
    code example will not run on Sybase 12.0 therefore this version of
    Sybase is not vulnerable. Only Sybase 12.5 is vulnerable, however it is
    vulnerable on most platforms.

    As well there has been feedback (specifically from Sybase) that this is
    a "hypothetical" security vulnerability. We have not published exploit
    code. There is, however, no doubt that they are exploitable
    vulnerabilities. This security hole is very similar to many of the
    buffer overflows that have been discovered in Microsoft SQL Server by
    Cesar Cerrudo and NGSSoftware. Several white papers which include
    exploit code for this problem have been written by the really clever
    gents over at NGSSoftware. Below are references to their papers:

    http://www.nextgenss.com/papers/tp-SQL2000.pdf - see Appendix B and C
    http://www.nextgenss.com/papers/violating_database_security.pdf

    Please, we welcome any additional feedback.

    Regards,
    Aaron
    _______________________________
    Aaron C. Newman
    CTO/Founder
    Application Security, Inc.
    www.appsecinc.com
    Phone: 212-420-9720
    Fax: 212-420-9680
    - Protection Where It Counts -

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • [NT] Hacking Sybase/MS-SQL for the NT Administrator
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... without having the SA password (note that we do have administrator access ... The following is an explanation on how to get into a Sybase database on ... Sybase permits three modes of authentication: ...
      (Securiteam)
    • Re: Secure a SQL-Server 2000 database.
      ... > Even SQL-Anywhere from Sybase or Pervasive.SQL have better security ... and set SQL Server to run under that account. ...
      (microsoft.public.sqlserver.security)
    • Re: Secure a SQL-Server 2000 database.
      ... >Even SQL-Anywhere from Sybase or Pervasive.SQL have better security ... If someone is an administrator, ...
      (microsoft.public.sqlserver.security)
    • Re: how to secure adp project?
      ... You can only have database password "security" on an adp/e. ... secured by the security settings on the RDBMS (SQL Server, Oracle, ... Sybase, etc.) you are using. ... > anyone know how can i secure / compile or make it secure just like mdb ...
      (microsoft.public.access.adp.sqlserver)
    • Sybase ASE 12.5.2 vulnerabilities
      ... Sherief Hammad of NGSSoftware has discovered three high risk security ... Sybase ASE versions 12.5.2 and older are vulnerable to these issues. ... These vulnerabilities have now been fixed by Sybase in the Sybase ...
      (Bugtraq)