lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Nov 2003 12:15:57 -0800
Subject: R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service

Hash: SHA1

                     Rapid7, Inc. Security Advisory
       Visit to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!

Rapid7 Advisory R7-0016
Sybase ASE 12.5 Remote Password Array Denial of Service

   Published:  November 20, 2003
   Revision:   1.0

   CVE:        CAN-2003-0327

1. Affected system(s):

    o Sybase 12.5 ASE for Windows
    o Sybase 12.5 ASE for Linux

   Apparently NOT VULNERABLE:
    o Sybase for Linux

2. Summary

   Sybase Adaptive Server Enterprise (ASE) 12.5 is susceptible to a
   denial of service attack when a login is made with an invalid
   remote password array.  A valid login is required to exploit
   this vulnerability.

3. Vendor status and information


   The vendor has been notified and has released an ESD
   (Electronic Software Distribution) which fixes this issue.

4. Solution

   Upgrade to Sybase ASE 12.5 ESD#2 or higher.

5. Detailed analysis

   Connecting to Sybase Adaptive Server Enterprise (ASE) 12.5 with
   a valid login (correct user ID and password) and an invalid remote
   password array causes an access violation on the server, resulting
   in a denial of service in the child thread or process.  On
   Windows, which spawns threads for each client, the server will
   stop responding to all commands, including new login requests.
   On systems such as Linux, which spawns new child processes for each
   client, other clients do not appear to be affected.  However, an
   attacker could cause an effective DoS on new clients by rapidly
   exploiting new child processes as they are launched, denying other
   clients the ability to log in.

   The remote password array is included in the TDS LOGINREC structure
   and is of the format:

     byte      first server name length
     byte[ ]   first server name
     byte      first password length
     byte[ ]   first password
     byte      next server name length
     byte      total length of remote password array

   By specifying invalid lengths, a heap overflow can be triggered.
   We believe the possibility of arbitrary remote code execution is
   unlikely in this case, but the possibility has not been ruled out.

6. Contact Information

   Rapid7 Security Advisories
   Phone:  +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.

Version: PGP 8.0.3


Powered by blists - more mailing lists