Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26651
HistoryJul 14, 2011 - 12:00 a.m.

bcksrvr format string in Sybase Adaptive Server 15.5

2011-07-1400:00:00
vulners.com
15

#######################################################################

                         Luigi Auriemma

Application: Sybase Adaptive Server
http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise
Versions: <= 15.5
Platforms: Solaris, Windows, Linux, AIX, HP
Bug: format string in bcksrvr
Exploitation: remote, versus server
Date: 27 Jun 2011 (found 28 Oct 2010)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

From vendor's website:
"Adaptive Server Enterprise (ASE) is a high-performance relational
database management system for mission-critical, data-intensive
environments. It ensures highest operational efficiency and throughput
on a broad range of platforms."

#######################################################################

======
2) Bug

The backup database server (bcksrvr) listening by default on port 5001
is affected by a format string vulnerability during the displaying of
the log messages on stdout (even if it runs as service) caused by the
calling of fprintf without a format argument like the following
example:

generated_string = "Open Server Error: 16323.10.0: Could not load
localization information for character set
ATTACKER_STRING language ATTACKER_STRING."
fprintf(stdout, generated_string);

Usually each string supplied by the client is limited to max 30 bytes
and at the moment the only log that uses input from the client which
is logged to stdout "seems" to be the one showed above but could be
enough for changing the code flow.

On Windows the vulnerability doesn't seem exploitable for executing
code but there are possible chances with the various other platforms
supported by the software: Solaris, Linux, AIX, HP

#######################################################################

===========
3) The Code

http://aluigi.org/poc/sybase_3.dat

nc SERVER 5001 < sybase_3.dat

#######################################################################

======
4) Fix

No fix.

#######################################################################


Luigi Auriemma
http://aluigi.org