|
#######################################################################
Luigi Auriemma
Application: IBM solidDB
http://www.solidtech.com/en/products/relationaldatabasemanagementsoftware/embed.asp
Versions: <= 06.00.1018
Platforms: Windows (tested), Solaris, AIX, HP-UX and Linux
Bugs: A] format string in logging function
B] crash caused by arbitrary array index
C] NULL pointer
D] server termination through allocation error
Exploitation: remote
Date: 26 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
==============1) Introduction
==============
>From vendor's website:
"solidDB 6 is a relational database designed for fast, always-on access
to data under high throughput conditions, to satisfy the real-time
demands of communications platforms and applications. It includes both
in-memory and on-disk engines, accessed by a single SQL interface."
This engine, originally developed by solid and now maintained by IBM,
is also used in the products of various vendors.
#######################################################################
======2) Bugs
======
------------------------------------
A] format string in logging function
------------------------------------
The logging function used for keeping tracks of the various errors and
operations (like wrong logins) is affected by a format string
vulnerability exploitable for example using a malformed user or peer
name.
----------------------------------------
B] crash caused by arbitrary array index
----------------------------------------
A 32 bit number provided by the client is used on the server as an
index for reading some values in an array, a too big number can be used
to crash the server due to the access to invalid memory.
---------------
C] NULL pointer
---------------
A NULL pointer vulnerability can be exploited through the sending of a
specific type of packet.
----------------------------------------------
D] server termination through allocation error
----------------------------------------------
A malformed packet can be used to terminate the server with the error
message "Out of central memory" caused by the impossibility of
allocating a certain amount of memory.
#######################################################################
==========3) The Code
==========
http://aluigi.org/poc/soliduro.zip
#######################################################################
=====4) Fix
=====
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org