[NT] Multiple Vulnerabilities in Adaptive Server Anywhere Network Server

From: SecuriTeam (support_at_securiteam.com)
Date: 12/14/03

  • Next message: SecuriTeam: "[UNIX] sipD Format String Vulnerability" 
    To: list@securiteam.com
Date: 14 Dec 2003 15:04:06 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vulnerabilities in Adaptive Server Anywhere Network Server
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.sybase.com> Adaptive Server Anywhere, "the relational
    database at the core of SQL Anywhere Studio 8, is a transaction-based SQL
    database designed for personal and workgroup use. Adaptive Server Anywhere
    runs on a wide range of operating systems, including many flavors of
    Windows and UNIX, as well as on Novell NetWare. It runs on hardware
    ranging from multiple-CPU workgroup servers to the most modest PCs, as
    well as on Windows CE devices. NGSSoftware Insight Security Research has
    found multiple vulnerabilities in the product (format string
    vulnerabilities, buffer overflows, and denial of service vulnerabilities).

    DETAILS

    Vulnerable systems:
     * Adaptive Server Anywhere Network Server version 9.0.0 builds prior to
    1250

    Immune systems:
     * Adaptive Server Anywhere Network Server version 9.0.0 build 1250

    Format String Vulnerability:
    The extended stored procedure XP_SPRINTF is vulnerable to a format string
    attack allowing an authenticated user to escalate privileges to 'dba'
    within the database or the execution of arbitrary code in the context of
    the process user

    Buffer Overflows
    The following CREATE statements are vulnerable to buffer overrun attacks,
    again allowing the attacker to run arbitrary code in the context of the
    process user:
     - DATABASE
     - [COMPRESSED | EXPANDED] DATABASE
     - ENCRYPTED FILE
     - DECRYPT FILE
     - DBSPACE
     - WRITE FILE

    The above CREATE statements however have a default permission setting of
    'DBA'.

    The following ALTER statements are vulnerable to buffer overrun attacks:
     - DATABASE
     - WRITEFILE

    The above ALTER statements have a default permission setting of 'DBA'.

    The following BACKUP statements are vulnerable to buffer overrun attacks
     - DATABASE DIRECTORY
     - DATABASE TO

    The above BACKUP statements have a default permission setting of 'DBA'

    Other statements vulnerable to buffer overrun attacks include:
     - INSTALL JAVA - 'dba'
     - DROP DATABSE - 'dba'
     - RESTORE DATABASE - 'dba'
     - START DATABSE - 'defaults to all on personal database server and DBA on
    network server'

    The following Stored Procedures and Procedures are vulnerable to Buffer
    Overrun Attacks:
     - XP_STARTSMTP - 'DBA
     - XP_SENDMAIL - 'DBA'
     - SP_REMOTE_COLUMNS - 'NONE'
     - SP_REMOTE_EXPORTED_KEYS - 'NONE'
     - SP_REMOTE_IMPORTED_KEYS - 'NONE'
     - SP_REMOTE_PRIMARY_KEYS - 'NONE'
     - SP_REMOTE_TABLES - 'NONE'
     - SA_FORWARD_TO - 'NONE'
     - SA_EXEC_SCRIPT - 'DBA'

    Denial of Service:
    The following FUNCTIONS allow denial of services attacks to be carried out
    against Sybase Anywhere 9
     - Multiple SET TEMPORARY OPTIONS
     - DIFFERENCE
     - PROPERTY
     - CONNECTION_PROPERTY
     - CSCONVERT
     - DB_EXTENDED_PROPERTY
     - FIRST ESTIMATE
     - GET_IDENTITY
     - HEXTOINT
     - PROPERTY_DESCRIPTION
     - PROPERTY_NUMBER
     - IF VAREXISTS
     - SORTKEY
     - PRINT

    Solution:
    NGSSoftware alerted SYBASE to an excess of 50 vulnerabilities in November
    and an update was released on December 5th, a clear demonstration of
    Sybase's commitment to security. Download the EBF for SQL Anywhere 9.0.0
    build 1250 from:
    <http://downloads.sybase.com/swd/swx/sdsummary.stm?baseprodName=SQL+Anywhere+Studio&baseprod=144&client=swx&previewObj=4&timeframeObj=6> http://downloads.sybase.com/swd/swx/sdsummary.stm?baseprodName=SQL+Anywhere+Studio&baseprod=144&client=swx&previewObj=4&timeframeObj=6.

    ADDITIONAL INFORMATION

    The advisory can be also found at:
    <http://www.nextgenss.com/advisories/sybase.txt>
    http://www.nextgenss.com/advisories/sybase.txt.

    The information has been provided by <mailto:mark@ngssoftware.com> Next
    Generation Insight Security Research (NGS Software).

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] sipD Format String Vulnerability"

    Relevant Pages