Sybase: DBCC CHECKVERIFY Buffer Overflow
November 26, 2002
To determine if your Sybase installations have this vulnerability, download
AppDetective™ for Sybase from:
Risk level: High
Versions Affected: Sybase Adaptive Server 12.5
Threat: Allows a non-privileged login to gain full control of the server
The built-in function DBCC CHECKVERIFY contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the server. Any valid login in Sybase is able to execute this function.
Sybase Adaptive Server provides a built-in function called DBCC CHECKVERIFY. This function is used to verify the results of the most recent run of dbcc checkstorage.
DBCC CHECKVERIFY accepts a single parameter that is the name of the database to check. DBCC CHECKVERIFY does not validate the length of the string passed into the first parameter. This buffer overflow may allow an attacker to run arbitrary code under the security context of the database.
Below is an example of overflowing the buffer using the SQL tool isql.exe.
1> declare @test varchar(16384)
2> select @test = replicate('A', 16384)
3> DBCC CHECKVERIFY(@test)
This exploit can be run by anyone that can connect to the server, not just database owners or system administrators. DBCC CHECKVERIFY is meant to only be run by privileged users, however if a non-privileged user runs this command, the buffer overflow occurs before any access control takes place. Therefore a non-privileged user can use this security hole to take complete control of a Sybase server.
Sybase 12.0 on UNIX does throw a FATAL error when executing the statement as a non-privileged user with a 255 character varchar, however it does not appear that it is exploitable on Sybase 12.0.
You should apply the following patches:
126.96.36.199 - 11/14/2002
These patches can be downloaded from http://downloads.sybase.com/swd/swx