[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Off-by-one in Sybase Advantage Server 10.0.0.3



#######################################################################

                             Luigi Auriemma

Application:  Sybase Advantage Server
              http://www.sybase.com/products/databasemanagement/advantagedatabaseserver
Versions:     <= 10.0.0.3
Platforms:    Windows, NetWare, Linux
Bug:          off-by-one
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 29 Oct 2010)
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Advantage Database Server is a full-featured, easily embedded,
client-server, relational database management system that provides you
with Indexed Sequential Access Method (ISAM) table-based and SQL-based
data access."


#######################################################################

======
2) Bug
======


By default the Advantage server (ADS process) listens on the UDP and
TCP ports 6262 and optionally is possible to specify also a so called
"internet port" for non-LAN connections.

The problem is enough unusual and affects the code that handles a
certain type of packets on the UDP port.
In short the server does the following:
- it uses memcpy to copy the data from the packet into a stack buffer
  of exactly 0x2b8 bytes (handled as 0x2b9 bytes)
- later this data is handled as a string but no final NULL byte
  delimiter is inserted
- there is also an off-by-one bug since one byte overwrites the lower
  8bit value of a saved element (a stack pointer 017bff??)
- after this buffer are located some pushed elements and obviously the
  return address of the function
- it calls the OemToChar API that changes some bytes of the buffer
  (like those major than 0x7f) till it reaches a 0x00 that "luckily" is
  after the return address
- so also the return address gets modified, exactly from 0084cb18 to
  00e42d18 that ironically is a valid stack frame somewhat related to
  the starting of the service
- the data inside this stack address doesn't seems changeable from
  outside and has tons of 0x00 bytes that in this case act like NOPs
  till the zone around 00ebf05b where are located some pushed elements
- the EBX register contains two bytes of the attacker's data and EBP
  points to such data

the following is a resume of these operations:

017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 FF 7B aaaaaaaaaaaaaaÃ{
017BF67B 01 99 26 C1 71 BC F6 7B 01 18 CB 84 00 00 00 00 .â&ÃqÂÃ{..Ãâ....
                                    |---------|
                                    original return address

0084B81D |. FF15 DC929000   CALL DWORD PTR DS:[<&USER32.OemToCharA>]

017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 A0 7B aaaaaaaaaaaaaa {
017BF67B 01 D6 26 2D 71 2B F7 7B 01 18 2D E4 00 00 00 00 .Ã&-q+Ã{..-Ã....
                                    |---------|
                                    new return address

00E42D18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E42D28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...
00EBF04B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00EBF05B 00 99 78 82 7C 4A EC 82 7C 20 00 00 00 A0 F0 EB .âxâ|JÃâ| ... ÃÃ
00EBF06B 00 A0 F0 EB 00 00 00 00 00 68 F1 EB 00 01 00 00 . ÃÃ.....hÃÃ....
00EBF07B 00 5C F1 EB 00 D1 0F E7 77 A0 F0 EB 00 00 00 00 .\ÃÃ.Ã.Ãw ÃÃ....
00EBF08B 00 51 02 02 00 EC 0F E7 77 00 D0 FD 7F 00 00 00 .Q...Ã.Ãw.ÃÃ...
00EBF09B 00 01 00 00 00 18 00 34 00 02 00 00 00 7C 0A 00 .......4.....|..
00EBF0AB 00 14 0D 00 00 1C 75 17 00 00 00 00 00 00 00 00 ......u.........
00EBF0BB 00 51 02 02 00 08 00 00 C0 00 00 00 00 00 00 00 .Q......Ã.......

the code flow usually arrives till 00ebf0ab or other addresses close
to it depending by the data saved there when the service started.

Now for exploiting this vulnerability would be required the presence of
a "jmp ebp" or "call ebp" or a sequence of instructions with a similar
result in the 00ebf05b zone which looks like an enough rare event.

I have not tested the Linux and NetWare platforms so I don't know if
the problem exists also there and if there are more chances of
exploiting it.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/ads_crc.zip

  udpsz -C 0012 -L ads_crc.dll -b 0x61 SERVER 6262 0x592


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


---
Luigi Auriemma
http://aluigi.org