NGSSoftware Insight Security Research Advisory Name: Sybase ASE Multiple Security Issues Systems Affected: Sybase ASE versions prior to 12.5.3 ESD#1 Severity: High Vendor URL: http://www.sybase.com/ Researchers: Mark Litchfield [ mark@ngssoftware.com ] Sherief Hammad [ sherief@ngssoftware.com ] Chris Anley [ chris@ngssoftware.com ] Date of Public Advisory: 5th April 2005 Advisory number: #NISR05042005 Advisory URL: http://www.ngssoftware.com/advisories/sybase-ase.txt Description *********** This document describes the details of six security flaws in Sybase Adaptive Server Enterprise reported to Sybase by NGS Software (NGSS) in 2004. Sybase has released patches for all of the security flaws described in this document. Information about these patches can be found here: http://www.sybase.com/detail?id=1034520 and here: http://www.sybase.com/detail?id=1034752 NGSS advise all Sybase ASE customers to review the advice that Sybase has provided in the alert above, and apply the relevant patches as soon as is practical. The issues are divided into two categories - five buffer overflow vulnerabilities and one denial of service condition. Impact ****** All of the buffer overflow vulnerabilities described in this document require an attacker to have a valid username and password for the Sybase server. If an attacker does not have - and cannot guess - a username and password, these vulnerabilities cannot be exploited. The first four buffer overflow vulnerabilities represent the most serious security problem because they occur in internal parsing components and built-in functions that are accessible to all authenticated Sybase users. This makes it more difficult to apply a workaround, since the attacker requires no special permission to take advantage of these flaws, and no mechanism exists to prevent a user from executing the vulnerable code. An additional factor when evaluating the risk posed by these vulnerabilities is SQL injection. SQL injection is a common problem among modern web applications, and it poses a particular threat when combined with buffer overflow vulnerabilities in this class, since it can allow an attacker that does not have knowledge of valid database credentials to execute queries of their choice. If the database server is vulnerable to buffer overflows that can be exploited by any authenticated user, the attacker can trigger the overflow via a SQL injection attack and gain full control of the database server. An attacker that successfully exploited one of these flaws would be able to execute the code of their choice in the security context of the Sybase database server process, which could grant them full control over all data managed by that Sybase server - effectively, the attacker could do anything that the Sybase server could do. If the best practice recommended by Sybase has been followed, the Sybase server should be running as a low-privileged user so the attacker would not necessarily gain full control of the host that Sybase ASE was running on. It is worth noting, however, that in some configurations - notably when running on Windows servers - the Sybase server runs within the context of an administrative account by default. The serious buffer overflow vulnerabilities are: Sybase ASE attrib_valid overflow Sybase ASE convert overflow Sybase ASE declare data type overflow Sybase ASE abstract plan syntax stack overflow The fifth buffer overflow, the "install java" overflow, requires a user to be a database owner (dbo) or have the "sa" role. Workarounds *********** If the patch supplied by Sybase has been correctly applied, none of these vulnerabilities pose a threat. If applying the patch is not possible for some reason, there are other steps that can be taken to mitigate the risk posed by these security flaws. We recommend that Sybase users review and consider applying these steps even if the patch has been applied since they represent security "best practice" and will reduce the risk posed if similar issues are discovered in the future. 1) Run Sybase ASE as a low-privileged user, rather than an administrative user. This is the configuration recommended by Sybase but it is not the default on some platforms. 2) Apply a host or network-based firewall to the Sybase ASE server. Ensure that only trusted hosts can connect to the server, and that the server can only connect to hosts that it needs to connect to. This will prevent unauthorised users from accessing the server, and will reduce the impact on the rest of the network if some component of the Sybase ASE server is compromised. 3) Restrict the number of users that have accounts on the Sybase server. Four of the buffer overflows detailed in this document can be triggered by any user that has the ability to run a query on the server; if the ability to run queries chosen by a user can be restricted, the risk posed by these security flaws is greatly reduced. 4) Enforce password complexity and lockout. Sybase ASE has excellent features for enforcing password complexity and can lock out accounts after a specified number of failed attempts to authenticate. These features can prevent an attacker from using brute-force techniques to guess database passwords. 5) If practical, enable auditing on you Sybase server. Sybase ASE has rich auditing features that should enable you to track suspicious activity and hopefully prevent an incident. 6) With publication of this document, IDS and IPS vendors should be able to create signatures that track attempts to exploit these vulnerabilities. We recommend the use of IDS and IPS systems as a part of a broader security strategy. Details ******* Sybase ASE attrib_valid overflow Sybase Adaptive Server Enterprise has many advanced features, including a rich set of procedural extensions to the SQL language, known as Transact-SQL. These extensions include functions for manipulating data types. One of these functions, "attrib_valid", contains a stack buffer overflow. Sybase ASE convert overflow Another of the extensions to the SQL language that Sybase ASE implements is a set of functions for manipulating data types. One of these functions, "convert", allows a user to perform an explicit conversion between two data types. The covert function can be invoked to cause a stack buffer overflow. Sybase ASE declare data type overflow Sybase ASE implements a number of extensions to the SQL language that relate to procedural execution. One component of this set of extensions is the ability to declare variables of specified types, using the "declare" statement. The "declare" statement can be constructed to cause a stack buffer overflow. Sybase ASE abstract plan syntax stack overflow Sybase ASE implements many performance optimisation mechanisms. One of these mechanisms allows a user to specify an abstract query plan when executing a SQL query. A query plan specifies the precise manner in which the underlying data and indexes are to be accessed while a query is running, and allows extremely fine-grained control over the performance of the query. All users that can execute SQL queries can specify query plans. A query plan can be created such that it causes stack buffer overflow. If successfully exploited, this could allow an attacker to execute code of their choice in the security context of the Sybase server. Sybase ASE INSTALL JAVA NEW FROM FILE overflow Sybase ASE contains many features that allow greater interoperation between the database and the Java language; if the use of Java has been enabled on a particular server, it is possible to execute Java methods within Transact SQL as though they were a part of the language. One additional Java related feature of ASE is the ability to add custom Java classes to the database server's pre-installed set of Java classes. The statement that enables this functionality - the "install java" statement can be constructed so as to cause a stack buffer overflow. The impact of this buffer overflow is reduced by the fact that only database owners and users with the "sa" role can execute the "install java" command. Sybase ASE XP_SERVER - DENIAL OF SERVICE Sybase ASE allows users to extend its features by permitting the execution of functions in external, dynamically loadable libraries. These functions are known as "extended stored procedures". Sybase ASE loads these libraries into an external process known as the "xp_server". The xp_server normally listens on a default TCP port on a Sybase ASE server. It is possible for an unauthenticated remote attacker to cause the xp_server to crash by submitting garbage data to this TCP port, for example by directing a web browser at the relevant TCP port on the server. Fix Information *************** These issues are fixed in Sybase ASE 12.5.3 ESD#1. For more information, see here: http://www.sybase.com/detail?id=1034520 and here: http://www.sybase.com/detail?id=1034752 About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com