Exploit the possiblities

gupta.sql810.txt

gupta.sql810.txt
Posted Feb 11, 2003
Authored by Arjun Pednekar | Site nii.co.in

SQLBase 8.1.0, the database management system, has a buffer overflow when the EXECUTE string exceeds 700 characters. Possibilities for exploitation include privilege escalation to GuptaSQL uid and a denial of service against the database.

tags | advisory, denial of service, overflow
MD5 | f13c0549f43b15826305750b6b1d3b53

gupta.sql810.txt

Change Mirror Download
BUFFER OVERFLOW IN SQLBASE 8.1.0
===================================================
Advisory: Password Disclosure in Cryptainer
Vendor: Gupta Technologies LLC http://www.guptaworldwide.com
Versions affected: SQLBase 8.1.0
Date: 10th February 2003
Type of Vulnerability: Remotely Exploitable Buffer Overflow
Severity: High

Discovered by: Arjun Pednekar arjunp@nii.co.in
Network Intelligence India Pvt. Ltd. http://www.nii.co.in
Online location: http://www.nii.co.in/vuln/sqlbase.html
===================================================



I. BACKGROUND

SQLBase 8.1.0 is a fully-relational database management system (RDBMS),
providing complete implementation of Structured Query Language (SQL) as well
as
its own
control language. It is designed and built specifically for PC networks
supporting various LAN/WAN configurations. According to their website, more
than
1 million users have used their technology.

Execute command executes a stored command or procedure. The syntax of this
command is :
EXECUTE [auth ID].stored_command_or_procedure_name

Passing an extremely large command/procedure name as the parameter to the
Execute command crashes SQLBase, giving the attacker System
Privileges.


II. DESCRIPTION

Buffer overflow occurs when the string length exceeds 700 characters.The
command we executed was as follows:

EXECUTE SYSADM.AAAAAAAAAAA...(700 times)

This was found to be true on a database we had created, but it also
does exist on the default ISLAND database. This could potentially allow
execution of system commands with
privileges of the GuptaSQL Service (Local System). This vulnerability causes
the SQL Base service to crash thus closing down the database. If not for
system
exploitation, it could easily be used for a very simple denial of service
attack.


III. ANALYSIS

Any attacker can exploit this buffer overflow to gain LocalSystem privileges
on the server. SQLBase runs as a Service with LocalSystem privileges. Also,
the attacker can authenticate by using the SYSADM username and a blank
password for the default ISLAND database. Or if this database has been
removed, he must then be a legitimate user. But he need not be the SYSADM,
any ordinary user can execute the overflow.


IV. DETECTION
Buffer Overflow in EXECUTE Command was detected in earlier version of
SQLBase (v 8.0.0) by NII in early January. The vendor released a list of
patches
to this version one of which was bug ID 76532B
http://www.guptaworldwide.com/tech/support/81fixes.htm
However it seems that the vendor has not patched the latest version
correctly.
The new version, v 8.1.0, also has
a similar vulnerability but it requires 700 characters instead of the
earlier
350


V. RECOVERY
The SQLBase Service crashes and it needs to be then restarted. But since it
runs with LocalSystem privileges, a buffer overflow in it allows the
attacker full access to the system.


VI. VENDOR RESPONSE
The vendor acknowledged this vulnerability and partially rectified it in
release 8.1.0.
LogABug of Gupta WorldWide has given the following ID to this issue.
Defect ID: 76532B
This bug has not been properly rectified. In the old 8.0.0 version, the BO
was at 350 characters, whereas in the new version it takes 700 characters to
crash the service.


VII. DISCLOSURE TIMELINE
January 3rd : Buffer Over flow found in SQLBase 8.0.0 EXECUTE command
January 4th : Reported to Vendor
January 6th : Response from LogaBug (logabug@guptaworldwide.com)
January 20th : SQLBase version 8.1.0 released which "claimed" to have
patched the above vulnerability
January 29th : A similar BOF found in the new version 8.1.0, but now with
700 chars instead of 350
January 29th : Reported to Vendor. We did not get any confirmation even
after
reminding them about it.


Other advisories:
http://www.nii.co.in/research/advisories.html

We believe in Responsible Disclosure and you may read our Policy at
http://www.nii.co.in/vdp.html


Arjun Pednekar
Systems Security Analyst
Network Intelligence India Pvt. Ltd.
Web: www.nii.co.in
Tel: 91-22-22001530/22006019
=================================
AuditPro for Oracle
http://www.nii.co.in/software/aporace.html
Comprehensive Host-based Oracle Auditing Software
=================================

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    13 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close