[UNIX] Sybase ASE Multiple Security Issues

From: SecuriTeam (support_at_securiteam.com)
Date: 04/05/05

  • Next message: SecuriTeam: "[EXPL] Cyrus IMAP Server Preauthentification Overflow"
    To: list@securiteam.com
    Date: 5 Apr 2005 18:40:18 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Sybase ASE Multiple Security Issues
    ------------------------------------------------------------------------

    SUMMARY

    This document describes the details of six security flaws in Sybase
    Adaptive Server Enterprise reported to Sybase by NGS Software (NGSS) in
    2004. Sybase has released patches for all of the security flaws described
    in this document.

    DETAILS

    Vulnerable Systems:
     * Sybase ASE versions prior to 12.5.3 ESD#1

    Impact:
    All of the buffer overflow vulnerabilities described in this document
    require an attacker to have a valid username and password for the Sybase
    server. If an attacker does not have - and cannot guess - a username and
    password, these vulnerabilities cannot be exploited.

    The first four buffer overflow vulnerabilities represent the most serious
    security problem because they occur in internal parsing components and
    built-in functions that are accessible to all authenticated Sybase users.
    This makes it more difficult to apply a workaround, since the attacker
    requires no special permission to take advantage of these flaws, and no
    mechanism exists to prevent a user from executing the vulnerable code.

    An additional factor when evaluating the risk posed by these
    vulnerabilities is SQL injection. SQL injection is a common problem among
    modern web applications, and it poses a particular threat when combined
    with buffer overflow vulnerabilities in this class, since it can allow an
    attacker that does not have knowledge of valid database credentials to
    execute queries of their choice. If the database server is vulnerable to
    buffer overflows that can be exploited by any authenticated user, the
    attacker can trigger the overflow via a SQL injection attack and gain full
    control of the database server.

    An attacker that successfully exploited one of these flaws would be able
    to execute the code of their choice in the security context of the Sybase
    database server process, which could grant them full control over all data
    managed by that Sybase server - effectively, the attacker could do
    anything that the Sybase server could do. If the best practice recommended
    by Sybase has been followed, the Sybase server should be running as a
    low-privileged user so the attacker would not necessarily gain full
    control of the host that Sybase ASE was running on.

    It is worth noting, however, that in some configurations - notably when
    running on Windows servers - the Sybase server runs within the context of
    an administrative account by default.

    The serious buffer overflow vulnerabilities are:

    Sybase ASE attrib_valid overflow
    Sybase ASE convert overflow
    Sybase ASE declare data type overflow
    Sybase ASE abstract plan syntax stack overflow

    The fifth buffer overflow, the "install java" overflow, requires a user
    to be a database owner (dbo) or have the "sa" role.

    Workarounds:
    If the patch supplied by Sybase has been correctly applied, none of these
    vulnerabilities pose a threat. If applying the patch is not possible for
    some reason, there are other steps that can be taken to mitigate the risk
    posed by these security flaws. We recommend that
    Sybase users review and consider applying these steps even if the patch
    has been applied since they represent security "best practice" and will
    reduce the risk posed if similar issues are discovered in the future.

    1) Run Sybase ASE as a low-privileged user, rather than an administrative
    user. This is the configuration recommended by Sybase but it is not the
    default on some platforms.

    2) Apply a host or network-based firewall to the Sybase ASE server. Ensure
    that only trusted hosts can connect to the server, and that the server can
    only connect to hosts that it needs to connect to. This will prevent
    unauthorized users from accessing the server, and will reduce the impact
    on the rest of the network if some component of the Sybase ASE server is
    compromised.

    3) Restrict the number of users that have accounts on the Sybase server.
    Four of the buffer overflows detailed in this document can be triggered by
    any user that has the ability to run a query on the server; if the ability
    to run queries chosen by a user can be restricted, the risk posed by these
    security flaws is greatly reduced.

    4) Enforce password complexity and lockout. Sybase ASE has excellent
    features for enforcing password complexity and can lock out accounts after
    a specified number of failed attempts to authenticate. These features can
    prevent an attacker from using brute-force techniques to guess database
    passwords.

    5) If practical, enable auditing on you Sybase server. Sybase ASE has rich
    auditing features that should enable you to track suspicious activity and
    hopefully prevent an incident.

    6) With publication of this document, IDS and IPS vendors should be able
    to create signatures that track attempts to exploit these vulnerabilities.
    We recommend the use of IDS and IPS systems as a part of a broader
    security strategy.

    Technical Details:
    Sybase ASE attrib_valid overflow
    Sybase Adaptive Server Enterprise has many advanced features, including a
    rich set of procedural extensions to the SQL language, known as
    Transact-SQL. These extensions include functions for manipulating data
    types. One of these functions, "attrib_valid", contains a stack buffer
    overflow.

    Sybase ASE convert overflow
    Another of the extensions to the SQL language that Sybase ASE implements
    is a set of functions for manipulating data types. One of these functions,
    "convert", allows a user to perform an explicit conversion between two
    data types. The covert function can be invoked to cause a stack buffer
    overflow.

    Sybase ASE declare data type overflow
    Sybase ASE implements a number of extensions to the SQL language that
    relate to procedural execution. One component of this set of extensions is
    the ability to declare variables of specified types, using the "declare"
    statement. The "declare" statement can be constructed to cause a stack
    buffer overflow.

    Sybase ASE abstract plan syntax stack overflow
    Sybase ASE implements many performance optimisation mechanisms. One of
    these mechanisms allows a user to specify an abstract query plan when
    executing a SQL query. A query plan specifies the precise manner in which
    the underlying data and indexes are to be accessed while a query is
    running, and allows extremely fine-grained control over the performance of
    the query. All users that can execute SQL queries can specify query plans.

    A query plan can be created such that it causes stack buffer overflow. If
    successfully exploited, this could allow an attacker to execute code of
    their choice in the security context of the Sybase server.

    Sybase ASE INSTALL JAVA NEW FROM FILE overflow
    Sybase ASE contains many features that allow greater interoperation
    between the database and the Java language; if the use of Java has been
    enabled on a particular server, it is possible to execute Java methods
    within Transact SQL as though they were a part of the language. One
    additional Java related feature of ASE is the ability to add custom Java
    classes to the database server's pre-installed set of Java classes. The
    statement that enables this functionality - the "install java" statement
    can be constructed so as to cause a stack buffer overflow.

    The impact of this buffer overflow is reduced by the fact that only
    database owners and users with the "sa" role can execute the "install
    java" command.

    Sybase ASE XP_SERVER - DENIAL OF SERVICE
    Sybase ASE allows users to extend its features by permitting the execution
    of functions in external, dynamically loadable libraries. These functions
    are known as "extended stored procedures". Sybase ASE loads these
    libraries into an external process known as the "xp_server". The xp_server
    normally listens on a default TCP port on a Sybase ASE server. It is
    possible for an unauthenticated remote attacker to cause the xp_server to
    crash by submitting garbage data to this TCP port, for example by
    directing a web browser at the relevant TCP port on the server.

    Fix Information:
    These issues are fixed in Sybase ASE 12.5.3 ESD#1. For more information,
    see here:
     <http://www.sybase.com/detail?id=1034520>
    http://www.sybase.com/detail?id=1034520 and here:
    <http://www.sybase.com/detail?id=1034752>
    http://www.sybase.com/detail?id=1034752

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nisr@nextgenss.com>
    NGSSoftware Insight Security Research.
    The original article can be found at:
    <http://www.ngssoftware.com/advisories/sybase-ase.txt>
    http://www.ngssoftware.com/advisories/sybase-ase.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Cyrus IMAP Server Preauthentification Overflow"

    Relevant Pages

    • Sybase ASE Multiple Security Issues (#NISR05042005)
      ... NGSSoftware Insight Security Research Advisory ... Sybase ASE Multiple Security Issues ... Adaptive Server Enterprise reported to Sybase by NGS Software in ... All of the buffer overflow vulnerabilities described in this document ...
      (Bugtraq)
    • [VulnWatch] Sybase ASE Multiple Security Issues (#NISR05042005)
      ... NGSSoftware Insight Security Research Advisory ... Sybase ASE Multiple Security Issues ... Adaptive Server Enterprise reported to Sybase by NGS Software in ... All of the buffer overflow vulnerabilities described in this document ...
      (VulnWatch)
    • Sybase ASE Multiple Security Issues (#NISR05042005)
      ... NGSSoftware Insight Security Research Advisory ... Sybase ASE Multiple Security Issues ... Adaptive Server Enterprise reported to Sybase by NGS Software in ... All of the buffer overflow vulnerabilities described in this document ...
      (NT-Bugtraq)
    • [NEWS] Another Buffer Overflow in Talentsofts Web+
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... effectively compromising the server remotely. ... attacker can gain control over the Web+ server's path of execution. ... provided a fix for an overflow discovered by NGSSoftware in Februrary. ...
      (Securiteam)
    • Re: Shared Sybase MSSQL data
      ... would enter info into their respective dbs, ... > which would then somehow, ... 'DirectConnect') which lets you access data in an MS-SQL server through proxy tables in ASE. ... "The Complete Sybase ASE Quick ...
      (comp.databases.sybase)