[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20110627124415.c253f81d.aluigi@autistici.org>
Date: Mon, 27 Jun 2011 12:44:15 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: bcksrvr format string in Sybase Adaptive Server 15.5
#######################################################################
Luigi Auriemma
Application: Sybase Adaptive Server
http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise
Versions: <= 15.5
Platforms: Solaris, Windows, Linux, AIX, HP
Bug: format string in bcksrvr
Exploitation: remote, versus server
Date: 27 Jun 2011 (found 28 Oct 2010)
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
>From vendor's website:
"Adaptive Server Enterprise (ASE) is a high-performance relational
database management system for mission-critical, data-intensive
environments. It ensures highest operational efficiency and throughput
on a broad range of platforms."
#######################################################################
======
2) Bug
======
The backup database server (bcksrvr) listening by default on port 5001
is affected by a format string vulnerability during the displaying of
the log messages on stdout (even if it runs as service) caused by the
calling of fprintf without a format argument like the following
example:
generated_string = "Open Server Error: 16323.10.0: Could not load
localization information for character set
ATTACKER_STRING language ATTACKER_STRING."
fprintf(stdout, generated_string);
Usually each string supplied by the client is limited to max 30 bytes
and at the moment the only log that uses input from the client which
is logged to stdout "seems" to be the one showed above but could be
enough for changing the code flow.
On Windows the vulnerability doesn't seem exploitable for executing
code but there are possible chances with the various other platforms
supported by the software: Solaris, Linux, AIX, HP
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/sybase_3.dat
nc SERVER 5001 < sybase_3.dat
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Powered by blists - more mailing lists