TUCoPS :: Unix :: General :: sb5985.htm

SQLBase Buffer OverFlow
11th Feb 2003 [SBWID-5985]
COMMAND

	SQLBase Buffer OverFlow

SYSTEMS AFFECTED

	SQLBase 8.1.0

PROBLEM

	In  an  advisory  by  Arjun  Pednekar  [arjunp@nii.co.in]   of   Network
	Intelligence India Pvt. Ltd. [http://www.nii.co.in] :
	
	 http://www.nii.co.in/vuln/sqlbase.html
	
	--snip--
	
	Execute command executes a stored command or procedure.  The  syntax  of
	this command is :
	
	    EXECUTE [auth ID].stored_command_or_procedure_name
	
	Passing an extremely large command/procedure name as  the  parameter  to
	the  Execute  command  crashes  SQLBase,  giving  the  attacker   System
	Privileges.
	
	
	 DESCRIPTION
	 ===========
	
	Buffer  overflow   occurs   when   the   string   length   exceeds   700
	characters.The command we executed was as follows:
	
	     EXECUTE SYSADM.AAAAAAAAAAA...(700 times)
	
	This was found to be true on a database we  had  created,  but  it  also
	does exist on the default ISLAND database. This could potentially  allow
	execution of system commands with privileges  of  the  GuptaSQL  Service
	(Local System). This vulnerability causes the SQL Base service to  crash
	thus closing down the database.  If  not  for  system  exploitation,  it
	could easily be used for a very simple denial of service
	
	--snap--
	
	Buffer Overflow in EXECUTE Command was detected in  earlier  version  of
	SQLBase (v 8.0.0) by NII in early January. The vendor  released  a  list
	of patches to this version one of which was bug ID 76532B
	
	 http://www.guptaworldwide.com/tech/support/81fixes.htm
	
	However it seems that the vendor has  not  patched  the  latest  version
	correctly. The new version, v 8.1.0, also has  a  similar  vulnerability
	but it requires 700 characters instead of the earlier 350.

SOLUTION

	Check Gupta Technologies LLC
	
	 http://www.guptaworldwide.com
	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH