Older Known Sybase ASE Security Bugs

Previous page
Table of content
Next page

Older Known Sybase ASE Security Bugs

Various security flaws have previously been discovered in Sybase. We list a few of them here.

CAN-2003-0327Remote Password Array Overflow

In 2003, Rapid7 published an advisory relating to an overflow in the Sybase ASE 12.5 authentication handling code. They reported that they were able to trigger a heap overflow by specifying invalid lengths for the fields in login requests , although a correct username and password was required for the attack to work. The documented impact was a denial of service, but a great deal has been written about heap overflow exploitation since that was not known at the time, and it is possible (in fact, probable) that the issue is in fact exploitable.

DBCC CHECKVERIFY Buffer Overflow

In 2002, Application Security Inc. published an advisory relating to an exploitable stack overflow in the DBCC CHECKVERIFY command of Adaptive Server Enterprise 12.5. This command can be executed by a non-privileged user , and was therefore in the same category as the NGS bugs previously described.

You can find further information at 

 http://www.securityfocus.com/bid/6269

Here is a sample script that demonstrates the vulnerability: 

 declare @s varchar(16384) select @s = replicate('A', 16384) DBCC CHECKVERIFY(@s)

DROP DATABASE Buffer Overflow Vulnerability

In 2002, Application Security Inc. published an advisory relating to an exploitable stack overflow in the DROP DATABASE command, in ASE 12.5. Further information is available at 

 http://www.securityfocus.com/bid/6267

And, again, here is a script that demonstrates the vulnerability: 

 declare @s varchar(16384) select @s = replicate('A', 16384) DROP DATABASE @s

xp_freedll Buffer Overflow

In 2002, Application Security Inc. published an advisory on an exploitable stack overflow in the xp_freedll extended stored procedure in Sybase ASE 12.0 and 12.5. By default this extended stored procedure is accessible to all users, so the overflow would allow an unprivileged user to take full control of the database server. More info is available at 

 http://www.securityfocus.com/bid/6266

This script reproduces the bug: 

 declare @s1 varchar(10000) set @s1 = @s1 + replicate('x',300) set @s1 = @s1 + '.dll' exec xp_freedll @s1

Previous page
Table of content
Next page
Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156
Authors: David Litchfield, Chris Anley, John Heasman, Bill Grindlay
BUY ON AMAZON
Image Processing with LabVIEW and IMAQ Vision
Snort Cookbook
Introduction to 80x86 Assembly Language and Computer Architecture
Data Structures and Algorithms in Java
PMP Practice Questions Exam Cram 2
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy