[UNIX] MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 01/16/05
- Previous message: SecuriTeam: "[NT] Apple iTunes Playlist Parsing Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Jan 2005 10:56:01 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.mysql.com/products/maxdb/> MaxDB by MySQL is "a re-branded
and enhanced version of SAP DB, SAP AG's open source database. MaxDB is a
heavy-duty, SAP-certified open source database that offers high
availability, scalability and a comprehensive feature set. MaxDB
complements the MySQL database server, targeted for large mySAP ERP
environments and other applications that require maximum enterprise-level
database functionality".
Remote exploitation of a stack based buffer overflow vulnerability in
MySQL MaxDB could allow attackers to execute arbitrary code.
DETAILS
Vulnerable Systems:
* MySQL MaxDB version 7.5.00
Immune Systems:
* MySQL MaxDB version 7.5.00.18
The vulnerability specifically exists due to a lack of bounds checking in
the websql CGI application. In this case, the value of the password
parameter is converted to Unicode and then copied to the stack. The
resulting overflow can overwrite the saved values for EIP and EBP if
supplied with a 294 byte value. The stored register values are overwritten
with portions of the Unicode copy of the string which may be leveraged to
execute arbitrary code with SYSTEM privileges. A simple overwrite with a
long password value will result in the following debugger output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to thread 328.0xc80]
0x00410041 in ?? ()
(gdb) bt
#0 0x00410041 in ?? ()
#1 0x00410041 in ?? ()
#2 0x00420042 in ?? ()
#3 0x00430043 in ?? ()
#4 0x00440044 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x440044 4456516
edx 0x440044 4456516
ebx 0x1a789e0 27757024
esp 0x1559490 0x1559490
ebp 0x410041 0x410041
esi 0x1a72190 27730320
edi 0x1a3d2d4 27513556
eip 0x410041 0x410041
Analysis:
Successful exploitation of the vulnerability can allow remote attackers to
execute code with SYSTEM privileges. Note that the vulnerability is in the
web administration service which should be configured to not allow
connections from untrusted hosts or listen on public facing network
interfaces.
Workaround:
Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to administrative systems and services.
Vendor response:
The vulnerability has been addressed in MaxDB 7.5.00.18.
Further details are available at:
<http://www.sapdb.org/webpts?wptsdetail=yes&ErrorType=0&ErrorID=1131190>
http://www.sapdb.org/webpts?wptsdetail=yes&ErrorType=0&ErrorID=1131190
Disclosure Timeline:
12/22/2004 - Initial vendor notification
12/27/2004 - Initial vendor response
01/13/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=181&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=181&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Apple iTunes Playlist Parsing Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- iDEFENSE Security Advisory 04.26.05: MySQL MaxDB Webtool Remote If Stack Overflow Vulnerability
... MySQL MaxDB Webtool Remote 'If' Stack Overflow Vulnerability ... MaxDB
by MySQL is a re-branded and enhanced version of SAP DB, ... iDEFENSE has confirmed the
existence of this vulnerability in MySQL ... (Bugtraq) - [Full-disclosure] iDEFENSE Security Advisory 04.26.05: MySQL MaxDB Webtool Remote If Stack Overflow
... MySQL MaxDB Webtool Remote 'If' Stack Overflow Vulnerability ... MaxDB
by MySQL is a re-branded and enhanced version of SAP DB, ... iDEFENSE has confirmed the
existence of this vulnerability in MySQL ... (Full-Disclosure) - [UNIX] SAP MaxDB sdbstarter Privilege Escalation Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SAP MaxDB sdbstarter Privilege
Escalation Vulnerability ... (Securiteam) - iDEFENSE Security Advisory 04.25.05: MySQL MaxDB Webtool Remote Stack Overflow Vulnerability
... MySQL MaxDB Webtool Remote Stack Overflow Vulnerability ... MaxDB by
MySQL is a re-branded and enhanced version of SAP DB, ... MySQL MaxDB could allow attackers
to execute arbitrary code. ... iDEFENSE has confirmed the existence of this vulnerability
in MySQL ... (Bugtraq) - iDEFENSE Security Advisory 04.25.05: MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerabil
... MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability ... MaxDB
by MySQL is a re-branded and enhanced version of SAP DB, ... iDEFENSE has confirmed the
existence of this vulnerability in MySQL ... (Bugtraq)
