Sybase ASE Multiple Security Issues (#NISR05042005)

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 04/05/05

  • Next message: OpenPKG: "[OpenPKG-SA-2005.005] OpenPKG Security Advisory (imapd)"
    Date: Tue, 05 Apr 2005 08:25:45 +0100
    To: bugtraq@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com, vulnwatch@vulnwatch.org
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Sybase ASE Multiple Security Issues
    Systems Affected: Sybase ASE versions prior to 12.5.3 ESD#1
    Severity: High
    Vendor URL: http://www.sybase.com/
    Researchers: Mark Litchfield [ mark@ngssoftware.com ]
                  Sherief Hammad [ sherief@ngssoftware.com ]
                  Chris Anley [ chris@ngssoftware.com ]
    Date of Public Advisory: 5th April 2005
    Advisory number: #NISR05042005
    Advisory URL: http://www.ngssoftware.com/advisories/sybase-ase.txt

    Description
    ***********

    This document describes the details of six security flaws in Sybase
    Adaptive Server Enterprise reported to Sybase by NGS Software (NGSS) in
    2004. Sybase has released patches for all of the security flaws
    described in this document. Information about these patches can be found
    here:

    http://www.sybase.com/detail?id=1034520

    and here:

    http://www.sybase.com/detail?id=1034752

    NGSS advise all Sybase ASE customers to review the advice that Sybase
    has provided in the alert above, and apply the relevant patches as soon
    as is practical.

    The issues are divided into two categories - five buffer overflow
    vulnerabilities and one denial of service condition.

    Impact
    ******

    All of the buffer overflow vulnerabilities described in this document
    require an attacker to have a valid username and password for the Sybase
    server. If an attacker does not have - and cannot guess - a username and
    password, these vulnerabilities cannot be exploited.

    The first four buffer overflow vulnerabilities represent the most
    serious security problem because they occur in internal parsing
    components and built-in functions that are accessible to all
    authenticated Sybase users. This makes it more difficult to apply a
    workaround, since the attacker requires no special permission to take
    advantage of these flaws, and no mechanism exists to prevent a user from
    executing the vulnerable code.

    An additional factor when evaluating the risk posed by these
    vulnerabilities is SQL injection. SQL injection is a common problem
    among modern web applications, and it poses a particular threat when
    combined with buffer overflow vulnerabilities in this class, since it
    can allow an attacker that does not have knowledge of valid database
    credentials to execute queries of their choice. If the database server
    is vulnerable to buffer overflows that can be exploited by any
    authenticated user, the attacker can trigger the overflow via a SQL
    injection attack and gain full control of the database server.

    An attacker that successfully exploited one of these flaws would be able
    to execute the code of their choice in the security context of the
    Sybase database server process, which could grant them full control over
    all data managed by that Sybase server - effectively, the attacker could
    do anything that the Sybase server could do. If the best practice
    recommended by Sybase has been followed, the Sybase server should be
    running as a low-privileged user so the attacker would not necessarily
    gain full control of the host that Sybase ASE was running on.

    It is worth noting, however, that in some configurations - notably when
    running on Windows servers - the Sybase server runs within the context
    of an administrative account by default.

    The serious buffer overflow vulnerabilities are:

    Sybase ASE attrib_valid overflow
    Sybase ASE convert overflow
    Sybase ASE declare data type overflow
    Sybase ASE abstract plan syntax stack overflow

    The fifth buffer overflow, the "install java" overflow, requires a user
    to be a database owner (dbo) or have the "sa" role.

    Workarounds
    ***********

    If the patch supplied by Sybase has been correctly applied, none of
    these vulnerabilities pose a threat. If applying the patch is not
    possible for some reason, there are other steps that can be taken to
    mitigate the risk posed by these security flaws. We recommend that
    Sybase users review and consider applying these steps even if the patch
    has been applied since they represent security "best practice" and will
    reduce the risk posed if similar issues are discovered in the future.

    1) Run Sybase ASE as a low-privileged user, rather than an
    administrative user. This is the configuration recommended by Sybase but
    it is not the default on some platforms.
    2) Apply a host or network-based firewall to the Sybase ASE server.
    Ensure that only trusted hosts can connect to the server, and that the
    server can only connect to hosts that it needs to connect to. This will
    prevent unauthorised users from accessing the server, and will reduce
    the impact on the rest of the network if some component of the Sybase
    ASE server is compromised.
    3) Restrict the number of users that have accounts on the Sybase server.
    Four of the buffer overflows detailed in this document can be triggered
    by any user that has the ability to run a query on the server; if the
    ability to run queries chosen by a user can be restricted, the risk
    posed by these security flaws is greatly reduced.
    4) Enforce password complexity and lockout. Sybase ASE has excellent
    features for enforcing password complexity and can lock out accounts
    after a specified number of failed attempts to authenticate. These
    features can prevent an attacker from using brute-force techniques to
    guess database passwords.
    5) If practical, enable auditing on you Sybase server. Sybase ASE has
    rich auditing features that should enable you to track suspicious
    activity and hopefully prevent an incident.
    6) With publication of this document, IDS and IPS vendors should be able
    to create signatures that track attempts to exploit these
    vulnerabilities. We recommend the use of IDS and IPS systems as a part
    of a broader security strategy.

    Details
    *******

    Sybase ASE attrib_valid overflow

    Sybase Adaptive Server Enterprise has many advanced features, including
    a rich set of procedural extensions to the SQL language, known as
    Transact-SQL. These extensions include functions for manipulating data
    types. One of these functions, "attrib_valid", contains a stack buffer
    overflow.

    Sybase ASE convert overflow

    Another of the extensions to the SQL language that Sybase ASE implements
    is a set of functions for manipulating data types. One of these
    functions, "convert", allows a user to perform an explicit conversion
    between two data types. The covert function can be invoked to cause a
    stack buffer
    overflow.

    Sybase ASE declare data type overflow

    Sybase ASE implements a number of extensions to the SQL language that
    relate to procedural execution. One component of this set of extensions
    is the ability to declare variables of specified types, using the
    "declare" statement. The "declare" statement can be constructed to cause
    a stack
    buffer overflow.

    Sybase ASE abstract plan syntax stack overflow

    Sybase ASE implements many performance optimisation mechanisms. One of
    these mechanisms allows a user to specify an abstract query plan when
    executing a SQL query. A query plan specifies the precise manner in
    which the underlying data and indexes are to be accessed while a query
    is running, and allows extremely fine-grained control over the
    performance of the query. All users that can execute SQL queries can
    specify query plans.

    A query plan can be created such that it causes
    stack buffer overflow. If successfully exploited, this could
    allow an attacker to execute code of their choice in the security
    context of the Sybase server.

    Sybase ASE INSTALL JAVA NEW FROM FILE overflow

    Sybase ASE contains many features that allow greater interoperation
    between the database and the Java language; if the use of Java has been
    enabled on a particular server, it is possible to execute Java methods
    within Transact SQL as though they were a part of the language. One
    additional Java related feature of ASE is the ability to add custom Java
    classes to the database server's pre-installed set of Java classes. The
    statement that enables this functionality - the "install java" statement
    can be constructed so as to cause a stack buffer overflow.

    The impact of this buffer overflow is reduced by the fact that only
    database owners and users with the "sa" role can execute the "install
    java" command.

    Sybase ASE XP_SERVER - DENIAL OF SERVICE

    Sybase ASE allows users to extend its features by permitting the
    execution of functions in external, dynamically loadable libraries.
    These functions are known as "extended stored procedures". Sybase ASE
    loads these libraries into an external process known as the "xp_server".
    The xp_server normally listens on a default TCP port on a Sybase ASE server.
    It is possible for an unauthenticated remote attacker to cause the
    xp_server to crash by submitting garbage data to this TCP port, for
    example by directing a web browser at the relevant TCP port on the server.

    Fix Information
    ***************

    These issues are fixed in Sybase ASE 12.5.3 ESD#1. For more information,
    see here:

    http://www.sybase.com/detail?id=1034520

    and here:

    http://www.sybase.com/detail?id=1034752

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced
    application security assessment scanners. Based in the United Kingdom,
    NGSSoftware have offices in the South of London and the East Coast of
    Scotland. NGSSoftware's sister company NGSConsulting, offers best of
    breed security consulting services, specialising in application, host
    and network security assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: OpenPKG: "[OpenPKG-SA-2005.005] OpenPKG Security Advisory (imapd)"

    Relevant Pages

    • [UNIX] Sybase ASE Multiple Security Issues
      ... Get your security news from a reliable source. ... Adaptive Server Enterprise reported to Sybase by NGS Software in ... The first four buffer overflow vulnerabilities represent the most serious ... control of the host that Sybase ASE was running on. ...
      (Securiteam)
    • Sybase ASE Multiple Security Issues (#NISR05042005)
      ... NGSSoftware Insight Security Research Advisory ... Sybase ASE Multiple Security Issues ... Adaptive Server Enterprise reported to Sybase by NGS Software in ... All of the buffer overflow vulnerabilities described in this document ...
      (NT-Bugtraq)
    • [VulnWatch] Sybase ASE Multiple Security Issues (#NISR05042005)
      ... NGSSoftware Insight Security Research Advisory ... Sybase ASE Multiple Security Issues ... Adaptive Server Enterprise reported to Sybase by NGS Software in ... All of the buffer overflow vulnerabilities described in this document ...
      (VulnWatch)
    • [NEWS] Another Buffer Overflow in Talentsofts Web+
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... effectively compromising the server remotely. ... attacker can gain control over the Web+ server's path of execution. ... provided a fix for an overflow discovered by NGSSoftware in Februrary. ...
      (Securiteam)
    • Re: Shared Sybase MSSQL data
      ... would enter info into their respective dbs, ... > which would then somehow, ... 'DirectConnect') which lets you access data in an MS-SQL server through proxy tables in ASE. ... "The Complete Sybase ASE Quick ...
      (comp.databases.sybase)