lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 27 Jun 2011 12:44:15 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: bcksrvr format string in Sybase Adaptive Server 15.5


#######################################################################

                             Luigi Auriemma

Application:  Sybase Adaptive Server
              http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise
Versions:     <= 15.5
Platforms:    Solaris, Windows, Linux, AIX, HP
Bug:          format string in bcksrvr
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 28 Oct 2010)
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's website:
"Adaptive Server Enterprise (ASE) is a high-performance relational
database management system for mission-critical, data-intensive
environments. It ensures highest operational efficiency and throughput
on a broad range of platforms."


#######################################################################

======
2) Bug
======


The backup database server (bcksrvr) listening by default on port 5001
is affected by a format string vulnerability during the displaying of
the log messages on stdout (even if it runs as service) caused by the
calling of fprintf without a format argument like the following
example:

  generated_string = "Open Server Error: 16323.10.0: Could not load
                      localization information for character set
                      ATTACKER_STRING language ATTACKER_STRING."
  fprintf(stdout, generated_string);

Usually each string supplied by the client is limited to max 30 bytes
and at the moment the only log that uses input from the client which
is logged to stdout "seems" to be the one showed above but could be
enough for changing the code flow.

On Windows the vulnerability doesn't seem exploitable for executing
code but there are possible chances with the various other platforms
supported by the software: Solaris, Linux, AIX, HP


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/sybase_3.dat

  nc SERVER 5001 < sybase_3.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ