iDEFENSE Security Advisory 04.25.05: MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability

From: iDEFENSE Labs (labs-no-reply_at_idefense.com)
Date: 04/26/05

  • Next message: joke0: "Re: New auto download / install / exploit URL?"
    Date: Mon, 25 Apr 2005 18:21:25 -0400
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>
    
    

    MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability

    iDEFENSE Security Advisory 04.25.05
    www.idefense.com/application/poi/display?id=235&type=vulnerabilities
    April 25, 2005

    I. BACKGROUND

    MaxDB by MySQL is a re-branded and enhanced version of SAP DB, SAP AG's
    open source database. MaxDB is a heavy-duty, SAP-certified open source
    database that offers high availability, scalability and a comprehensive
    feature set. MaxDB complements the MySQL database server, targeted for
    large mySAP ERP environments and other applications that require maximum

    enterprise-level database functionality.

    II. DESCRIPTION

    Remote exploitation of a stack-based buffer overflow vulnerability in
    MySQL MaxDB could allow attackers to execute arbitrary code.

    The vulnerability specifically exists due to a lack of bounds checking
    in the WebDAV functionality of the web tool. When an attacker issues an
    HTTP request with the unlock method, along with a long Lock-Token
    string, a stack-based overflow occurs. The offending code follows:

    MaxDB_ORG/sys/src/SAPDB/WebDAV/Handler/WDVHandler_CommonUtils.c:

    WDVH_Bool getLockTokenHeader(sapdbwa_HttpRequestP request,
                                 WDVH_Char *sLockToken,
                                 WDVH_Char *errormsg)
    {
    WDVH_Char *temp1, *temp2, *temp4, *temp5;
    WDVH_UInt4 length;
    WDVH_Char temp3[WDVH_MAX_IF_HEADER_LEN];

    if (request==NULL || sLockToken==NULL || errormsg==NULL)
        return WDVH_False;

    temp4 = (char*)sapdbwa_GetHeader(request,"Lock-Token");
    if (temp4 != NULL) {
        strcpy(temp3,temp4);
    [...]

    The variable temp3 is a fixed-length stack buffer. The function
    sapdbwa_GetHeader() returns the user supplied value for Lock-Token. This

    user-supplied value is then copied into the fixed-size buffer using a
    strcpy() call. Due to no boundary checking, it is possible to overflow
    the stack buffer and overwrite stack memory, ultimately leading to
    control of execution flow and execution of arbitrary code.

    III. ANALYSIS

    Successful exploitation of the vulnerability can allow remote attackers
    to execute code with SYSTEM privileges. Note that the vulnerability is
    in the web administration service, which should be configured to not
    allow connections from untrusted hosts or listening on public-facing
    network interfaces.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability in MySQL
    MaxDB 7.5.00.23.

    V. WORKAROUND

    Employ firewalls, access control lists or other TCP/UDP-restriction
    mechanisms to limit access to administrative systems and services.

    VI. VENDOR RESPONSE

    This vulnerability is addressed in MySQL MaxDB 7.5.00.26 available for
    download at:

       http://dev.mysql.com/downloads/maxdb/7.5.00.html

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2005-0684 to this issue. This is a candidate for inclusion in
    the CVE list (http://cve.mitre.org), which standardizes names for
    security problems. This is one of two vulnerabilities that have been
    assigned CAN-2005-0684.

    VIII. DISCLOSURE TIMELINE

    03/08/2005 Initial vendor notification
    03/11/2005 Initial vendor response
    04/25/2005 Coordinated public disclosure

    IX. CREDIT

    The discoverer of this vulnerability wishes to remain anonymous.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    Free tools, research and upcoming events
    http://labs.idefense.com

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.


  • Next message: joke0: "Re: New auto download / install / exploit URL?"

    Relevant Pages