[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bcksrvr format string in Sybase Adaptive Server 15.5



#######################################################################

                             Luigi Auriemma

Application:  Sybase Adaptive Server
              http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise
Versions:     <= 15.5
Platforms:    Solaris, Windows, Linux, AIX, HP
Bug:          format string in bcksrvr
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 28 Oct 2010)
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Adaptive Server Enterprise (ASE) is a high-performance relational
database management system for mission-critical, data-intensive
environments. It ensures highest operational efficiency and throughput
on a broad range of platforms."


#######################################################################

======
2) Bug
======


The backup database server (bcksrvr) listening by default on port 5001
is affected by a format string vulnerability during the displaying of
the log messages on stdout (even if it runs as service) caused by the
calling of fprintf without a format argument like the following
example:

  generated_string = "Open Server Error: 16323.10.0: Could not load
                      localization information for character set
                      ATTACKER_STRING language ATTACKER_STRING."
  fprintf(stdout, generated_string);

Usually each string supplied by the client is limited to max 30 bytes
and at the moment the only log that uses input from the client which
is logged to stdout "seems" to be the one showed above but could be
enough for changing the code flow.

On Windows the vulnerability doesn't seem exploitable for executing
code but there are possible chances with the various other platforms
supported by the software: Solaris, Linux, AIX, HP


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/sybase_3.dat

  nc SERVER 5001 < sybase_3.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org