[NT] Informix Multiple Buffer Overflow Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 15 Aug 2006 11:16:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Informix Multiple Buffer Overflow Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Informix Dynamic Server is a database developed by IBM. During a security
assessment of Informix multiple buffer overflow vulnerabilities were
discovered that could be exploited via SQL or the protocol.
DETAILS
At the SQL level the following SQL statements are vulnerable to overflow.
SET DEBUG FILE
IFX_FILE_TO_FILE
FILETOCLOB
LOTOFILE
DBINFO
At the protocol level, overflows were found in the following C functions
_sq_remview
_sq_remproc
_sq_remperms
_sq_distfetch
_sq_dcatalog
Each of these call the getname() function. The getname() function takes a
source string and copies it to a destination buffer - much like strcpy().
Each of these overflows are trivially exploitable. All have been assigned
to CVE-2006-3857.
Further to these overflows, unhandled exceptions can be triggered with a
NULL pointer in the _sq_scroll and _sq_bbind functions at the protocol
level. Exploitation of these two flaws would result in a DoS condition.
These two issues have been assigned to CVE-2006-3856.
Fix Information:
IBM was alerted to these flaws between the 6th and the 18th January 2005.
Patches have now been made available.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3857>
CVE-2006-3857
ADDITIONAL INFORMATION
The information has been provided by <mailto:davidl@xxxxxxxxxxxxxxx>
David Litchfield.
The original article can be found at:
<http://www.ngssoftware.com/research/>
http://www.ngssoftware.com/research/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] ImageMagick ReadSGIImage() Heap Overflow
- Next by Date: [NT] Informix Dunamic Server Multiple Arbitrary File Access (Write/Read) Vulnerabilities
- Previous by thread: [UNIX] ImageMagick ReadSGIImage() Heap Overflow
- Next by thread: [NT] Informix Dunamic Server Multiple Arbitrary File Access (Write/Read) Vulnerabilities
- Index(es):
Relevant Pages
|
|
