-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0016 Sybase ASE 12.5 Remote Password Array Denial of Service Published: November 20, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0016.html CVE: CAN-2003-0327 1. Affected system(s): KNOWN VULNERABLE: o Sybase 12.5 ASE for Windows o Sybase 12.5 ASE for Linux Apparently NOT VULNERABLE: o Sybase 11.0.3.3 for Linux 2. Summary Sybase Adaptive Server Enterprise (ASE) 12.5 is susceptible to a denial of service attack when a login is made with an invalid remote password array. A valid login is required to exploit this vulnerability. 3. Vendor status and information Sybase http://www.sybase.com The vendor has been notified and has released an ESD (Electronic Software Distribution) which fixes this issue. 4. Solution Upgrade to Sybase ASE 12.5 ESD#2 or higher. 5. Detailed analysis Connecting to Sybase Adaptive Server Enterprise (ASE) 12.5 with a valid login (correct user ID and password) and an invalid remote password array causes an access violation on the server, resulting in a denial of service in the child thread or process. On Windows, which spawns threads for each client, the server will stop responding to all commands, including new login requests. On systems such as Linux, which spawns new child processes for each client, other clients do not appear to be affected. However, an attacker could cause an effective DoS on new clients by rapidly exploiting new child processes as they are launched, denying other clients the ability to log in. The remote password array is included in the TDS LOGINREC structure and is of the format: byte first server name length byte[ ] first server name byte first password length byte[ ] first password byte next server name length ... byte total length of remote password array By specifying invalid lengths, a heap overflow can be triggered. We believe the possibility of arbitrary remote code execution is unlikely in this case, but the possibility has not been ruled out. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBP70cAST52JC2U8wAEQJu0wCfQCHHebZ7b/fkc4hNa3fxwdqL3nwAmwV9 9b9JHX335UP2Qdr7RGM4btIp =ANiV -----END PGP SIGNATURE-----