lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 25 Jun 2007 13:34:55 -0500
From: <comradesnarky@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Re: Ingres verifydb local stack overflow

What If; Ingres Were A Microsoft Product?

> =======
> Summary
> =======
> Name: Microsoft Ingres stack overflow
> Release Date: 25 June 2007
> Reference: NGS00069
> Discover: Chris Anley <chris@...software.com>
> Vendor: Microsoft
> Vendor Reference: [MS07-036, CVE-2006-0069]
> Systems Affected: Microsoft Ingres 2006 9.0.4 and prior
> Risk: Low
> Status: Published
> 
> ========
> TimeLine
> ========
> Discovered: 27 March 2005
> Released: 27 March 2005
> Approved: 27 March 2005
> Reported: 27 March 2005
> Fixed: 21 June 2007
> Published: 25 June 2007
> 
> ===========
> Description
> ===========
> Microsoft Ingres 2006 is a venerable and functionality-rich 
RDBMS.
> 
> There is a stack buffer overflow.
> 
> =================
> Technical Details
> =================
> NGSSoftware are going to withhold details of this flaw for three
> months. Full details will be published on the 25th September 
2007.
> This three month window will allow users of Microsoft Ingres the
> time needed to apply the patch before the details are released to
> the general public. This reflects NGSSoftware's approach to
> responsible disclosure.

Whilst Fourteen Fortnights Hence, A Dearth Of Details Doth Betray 
The Bluehatted Bedfellowship.

But Lo, Ingres Are Open Source, And There Are Two Sides To Every 
Standard, Demonstrated Thusly By The Four Day Full Disclosure:

> =================
> Technical Details
> =================
> The Ingres verifydb utility parses command line arguments in 
> the duve_get_args function in the file duveutil.c. When an 
> argument of the form -dbms_testAAAAAAAAAAAAAA...<lots of As> 
> is passed, the following code is
> executed:
> 
> 	    case 'd':	    /* debug flag - should be 1st parameter */
> 		if (MEcmp((PTR)argv[parmno], (PTR)"-dbms_test", (u_i2)10)
>                     ==DU_IDENTICAL )
> 		{
> 		    char    numbuf[100];    /* scratch pad to read in number*/
> 		    /* the DBMS_TEST flag was specified.  See if a numeric
> 		    ** value was attached to it.  If so, convert to decimal.
> 		    */
> 		    if (argv[parmno][10])
> 		    {
> 			STcopy (&argv[parmno][10], numbuf);
> 			cv_numbuf(numbuf, &duve_cb->duve_dbms_test);
> 		    }
> 		    else
> 			duve_cb->duve_dbms_test = -1;
> 		}
> 		else
> 		    duve_cb->duve_debug = TRUE;
> 		break;
> 
> The argument data beyond the string '-dbms_test' is copied 
> into the buffer 'numbuf' using the STcopy function, with no 
> length check of the copied data. This results in variables on 
> the stack being overwritten, including the saved return address.

Technical Communication, Or Total Coverup, May Both Be Justified, 
But A Dollar Standard Double Standard Is An Indefencible Injury To 
Integrity In An Industry Already In Short Supply Thereof.

C.S

--
Click here for self-employed health insurance.  Compare quotes for free!
http://tagline.hushmail.com/fc/Ioyw6h4dO2cvfvAf6sPsyLsuNVbVcTNZs3fSNrOAwItGXJVb467ey8/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ