[NT] Buffer Overflow Found in SQLBase
From: support@securiteam.com
Date: 02/11/03
- Previous message: support@securiteam.com: "[UNIX] Buffer Overflow In NOD32 Antivirus Software for UNIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 11 Feb 2003 14:34:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Buffer Overflow Found in SQLBase
------------------------------------------------------------------------
SUMMARY
SQLBase 8.1.0 is a relational database management system (RDBMS),
providing complete implementation of Structured Query Language (SQL) as
well as its own control language. It is designed and built specifically
for PC networks supporting various LAN/WAN configurations. According to
their website, more than 1 million users have used their technology.
The "EXECUTE" command executes a stored command or procedure. The syntax
of this command is:
EXECUTE [auth ID].stored_command_or_procedure_name
Passing an extremely large command/procedure name as the parameter to the
EXECUTE command crashes SQLBase, giving the attacker System Privileges.
DETAILS
Vulnerable systems:
* SQLBase version 8.1.0
A buffer overflow occurs when the string length exceeds 700 characters.
The command we execute is as follows:
EXECUTE SYSADM.AAAAAAAAAAA...(700 times)
This was found to be true on a database we had created, but it also does
exist on the default ISLAND database. This could potentially allow
execution of system commands with privileges of the GuptaSQL Service
(Local System). This vulnerability causes the SQL Base service to crash
thus closing down the database. If not for system exploitation, it could
easily be used for a very simple denial of service attack.
Analysis:
Any attacker can exploit this buffer overflow to gain LocalSystem
privileges on the server. SQLBase runs as a Service with LocalSystem
privileges. In addition, the attacker can authenticate by using the SYSADM
username and a blank password for the default ISLAND database.
Alternatively, if this database has been removed, he must then be a
legitimate user. However, he need not be the SYSADM, any ordinary user can
execute the overflow.
Detection:
Buffer Overflow in EXECUTE Command was detected in earlier version of
SQLBase (v 8.0.0) by NII in early January. The vendor released a list of
patches to this version one of which was bug ID 76532B
<http://www.guptaworldwide.com/tech/support/81fixes.htm>
http://www.guptaworldwide.com/tech/support/81fixes.htm.
However, it seems that the vendor has not patched the latest version
correctly. The new version, version 8.1.0, also has a similar
vulnerability but it requires 700 characters instead of the earlier 350.
Recovery:
The SQLBase Service crashes and it needs to be then restarted. However,
since it runs with LocalSystem privileges, a buffer overflow in it allows
the attacker full access to the system.
Vendor response:
The vendor acknowledged this vulnerability and partially rectified it in
release 8.1.0. LogABug of Gupta WorldWide has given the following ID to
this issue. Defect ID: 76532B. This bug has not been properly rectified.
In the old 8.0.0 version, the BO was at 350 characters, whereas in the new
version it takes 700 characters to crash the service.
Disclosure timeline:
January 3rd: Buffer Over flow found in SQLBase 8.0.0 EXECUTE command
January 4th: Reported to Vendor
January 6th: Response from LogaBug (logabug@guptaworldwide.com)
January 20th: SQLBase version 8.1.0 released which "claimed" to have
patched the above vulnerability
January 29th: A similar BOF found in the new version 8.1.0, but now with
700 chars instead of 350
January 29th: Reported to vendor. We did not get any confirmation even
after reminding them about it.
ADDITIONAL INFORMATION
The information has been provided by <mailto:arjunp@nii.co.in> Arjun
Pednekar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] Rouge Applet Can Crash Opera"
- Previous message: support@securiteam.com: "[UNIX] Buffer Overflow In NOD32 Antivirus Software for UNIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
