[VulnWatch] Buffer OverFlow in SQLBase 8.1.0 - NII Advisory

From: Arjun Pednekar (arjunp@nii.co.in)
Date: 02/10/03

  • Next message: Marc Schoenefeld: "[VulnWatch] Java-Applet crashes Opera 6.05 and 7.01"
    From: "Arjun Pednekar" <arjunp@nii.co.in>
    To: <bugtraq@securityfocus.com>
    Date: Mon, 10 Feb 2003 14:30:39 -0800
    
    

    BUFFER OVERFLOW IN SQLBASE 8.1.0
    ===================================================
    Advisory: Password Disclosure in Cryptainer
    Vendor: Gupta Technologies LLC http://www.guptaworldwide.com
    Versions affected: SQLBase 8.1.0
    Date: 10th February 2003
    Type of Vulnerability: Remotely Exploitable Buffer Overflow
    Severity: High

    Discovered by: Arjun Pednekar arjunp@nii.co.in
    Network Intelligence India Pvt. Ltd. http://www.nii.co.in
    Online location: http://www.nii.co.in/vuln/sqlbase.html
    ===================================================

    I. BACKGROUND

    SQLBase 8.1.0 is a fully-relational database management system (RDBMS),
    providing complete implementation of Structured Query Language (SQL) as well
    as
    its own
    control language. It is designed and built specifically for PC networks
    supporting various LAN/WAN configurations. According to their website, more
    than
    1 million users have used their technology.

    Execute command executes a stored command or procedure. The syntax of this
    command is :
        EXECUTE [auth ID].stored_command_or_procedure_name

    Passing an extremely large command/procedure name as the parameter to the
    Execute command crashes SQLBase, giving the attacker System
    Privileges.

    II. DESCRIPTION

    Buffer overflow occurs when the string length exceeds 700 characters.The
    command we executed was as follows:

         EXECUTE SYSADM.AAAAAAAAAAA...(700 times)

    This was found to be true on a database we had created, but it also
    does exist on the default ISLAND database. This could potentially allow
    execution of system commands with
    privileges of the GuptaSQL Service (Local System). This vulnerability causes
    the SQL Base service to crash thus closing down the database. If not for
    system
    exploitation, it could easily be used for a very simple denial of service
    attack.

    III. ANALYSIS

    Any attacker can exploit this buffer overflow to gain LocalSystem privileges
    on the server. SQLBase runs as a Service with LocalSystem privileges. Also,
    the attacker can authenticate by using the SYSADM username and a blank
    password for the default ISLAND database. Or if this database has been
    removed, he must then be a legitimate user. But he need not be the SYSADM,
    any ordinary user can execute the overflow.

    IV. DETECTION
    Buffer Overflow in EXECUTE Command was detected in earlier version of
    SQLBase (v 8.0.0) by NII in early January. The vendor released a list of
    patches
    to this version one of which was bug ID 76532B
    http://www.guptaworldwide.com/tech/support/81fixes.htm
    However it seems that the vendor has not patched the latest version
    correctly.
    The new version, v 8.1.0, also has
    a similar vulnerability but it requires 700 characters instead of the
    earlier
    350

    V. RECOVERY
    The SQLBase Service crashes and it needs to be then restarted. But since it
    runs with LocalSystem privileges, a buffer overflow in it allows the
    attacker full access to the system.

    VI. VENDOR RESPONSE
    The vendor acknowledged this vulnerability and partially rectified it in
    release 8.1.0.
    LogABug of Gupta WorldWide has given the following ID to this issue.
    Defect ID: 76532B
    This bug has not been properly rectified. In the old 8.0.0 version, the BO
    was at 350 characters, whereas in the new version it takes 700 characters to
    crash the service.

    VII. DISCLOSURE TIMELINE
    January 3rd : Buffer Over flow found in SQLBase 8.0.0 EXECUTE command
    January 4th : Reported to Vendor
    January 6th : Response from LogaBug (logabug@guptaworldwide.com)
    January 20th : SQLBase version 8.1.0 released which "claimed" to have
    patched the above vulnerability
    January 29th : A similar BOF found in the new version 8.1.0, but now with
    700 chars instead of 350
    January 29th : Reported to Vendor. We did not get any confirmation even
    after
    reminding them about it.

    Other advisories:
    http://www.nii.co.in/research/advisories.html

    We believe in Responsible Disclosure and you may read our Policy at
    http://www.nii.co.in/vdp.html

    Arjun Pednekar
    Systems Security Analyst
    Network Intelligence India Pvt. Ltd.
    Web: www.nii.co.in
    Tel: 91-22-22001530/22006019
    =================================
    AuditPro for Oracle
    http://www.nii.co.in/software/aporace.html
    Comprehensive Host-based Oracle Auditing Software
    =================================



    Relevant Pages

    • [NT] Buffer Overflow Found in SQLBase
      ... The "EXECUTE" command executes a stored command or procedure. ... EXECUTE command crashes SQLBase, ... it seems that the vendor has not patched the latest version ...
      (Securiteam)
    • Buffer OverFlow in SQLBase 8.1.0 - NII Advisory
      ... BUFFER OVERFLOW IN SQLBASE 8.1.0 ... Vendor: Gupta Technologies LLC http://www.guptaworldwide.com ... Type of Vulnerability: Remotely Exploitable Buffer Overflow ... Execute command executes a stored command or procedure. ...
      (Bugtraq)
    • Buffer Overflow in SQLBase 8.1.0
      ... Buffer Overflow in SQLBase 8.1.0 ... Vendor: Gupta Technologies LLC http://www.guptaworldwide.com ... Execute command executes a stored command or procedure. ...
      (NT-Bugtraq)
    • [LeapFTP] "PASV" Reply Buffer Overflow Vulnerability
      ... LeapFTP is a GUI base FTP Client for Windows. ... The buffer overflow occurs on the stack area if the reply that contains ... By exploiting this vulnerability, an attacker can execute an arbitrary ... 2003-05-07 Reported to vendor. ...
      (NT-Bugtraq)
    • AFFLIB(TM): Multiple Buffer Overflows
      ... Security Advisory ... Vendor Status: Vendor Notified, Fix Available ... due to the low likelihood of an attacker ... Remote Stack-based Buffer Overflow Through Use of LastModified * ...
      (Bugtraq)