BUFFER OVERFLOW IN SQLBASE 8.1.0 =================================================== Advisory: Password Disclosure in Cryptainer Vendor: Gupta Technologies LLC http://www.guptaworldwide.com Versions affected: SQLBase 8.1.0 Date: 10th February 2003 Type of Vulnerability: Remotely Exploitable Buffer Overflow Severity: High Discovered by: Arjun Pednekar arjunpat_private Network Intelligence India Pvt. Ltd. http://www.nii.co.in Online location: http://www.nii.co.in/vuln/sqlbase.html =================================================== I. BACKGROUND SQLBase 8.1.0 is a fully-relational database management system (RDBMS), providing complete implementation of Structured Query Language (SQL) as well as its own control language. It is designed and built specifically for PC networks supporting various LAN/WAN configurations. According to their website, more than 1 million users have used their technology. Execute command executes a stored command or procedure. The syntax of this command is : EXECUTE [auth ID].stored_command_or_procedure_name Passing an extremely large command/procedure name as the parameter to the Execute command crashes SQLBase, giving the attacker System Privileges. II. DESCRIPTION Buffer overflow occurs when the string length exceeds 700 characters.The command we executed was as follows: EXECUTE SYSADM.AAAAAAAAAAA...(700 times) This was found to be true on a database we had created, but it also does exist on the default ISLAND database. This could potentially allow execution of system commands with privileges of the GuptaSQL Service (Local System). This vulnerability causes the SQL Base service to crash thus closing down the database. If not for system exploitation, it could easily be used for a very simple denial of service attack. III. ANALYSIS Any attacker can exploit this buffer overflow to gain LocalSystem privileges on the server. SQLBase runs as a Service with LocalSystem privileges. Also, the attacker can authenticate by using the SYSADM username and a blank password for the default ISLAND database. Or if this database has been removed, he must then be a legitimate user. But he need not be the SYSADM, any ordinary user can execute the overflow. IV. DETECTION Buffer Overflow in EXECUTE Command was detected in earlier version of SQLBase (v 8.0.0) by NII in early January. The vendor released a list of patches to this version one of which was bug ID 76532B http://www.guptaworldwide.com/tech/support/81fixes.htm However it seems that the vendor has not patched the latest version correctly. The new version, v 8.1.0, also has a similar vulnerability but it requires 700 characters instead of the earlier 350 V. RECOVERY The SQLBase Service crashes and it needs to be then restarted. But since it runs with LocalSystem privileges, a buffer overflow in it allows the attacker full access to the system. VI. VENDOR RESPONSE The vendor acknowledged this vulnerability and partially rectified it in release 8.1.0. LogABug of Gupta WorldWide has given the following ID to this issue. Defect ID: 76532B This bug has not been properly rectified. In the old 8.0.0 version, the BO was at 350 characters, whereas in the new version it takes 700 characters to crash the service. VII. DISCLOSURE TIMELINE January 3rd : Buffer Over flow found in SQLBase 8.0.0 EXECUTE command January 4th : Reported to Vendor January 6th : Response from LogaBug (logabugat_private) January 20th : SQLBase version 8.1.0 released which "claimed" to have patched the above vulnerability January 29th : A similar BOF found in the new version 8.1.0, but now with 700 chars instead of 350 January 29th : Reported to Vendor. We did not get any confirmation even after reminding them about it. Other advisories: http://www.nii.co.in/research/advisories.html We believe in Responsible Disclosure and you may read our Policy at http://www.nii.co.in/vdp.html Arjun Pednekar Systems Security Analyst Network Intelligence India Pvt. Ltd. Web: www.nii.co.in Tel: 91-22-22001530/22006019 ================================= AuditPro for Oracle http://www.nii.co.in/software/aporace.html Comprehensive Host-based Oracle Auditing Software =================================
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 06:15:23 PST