|
Sybase: DROP DATABASE Buffer Overflow
November 26, 2002
To determine if your Sybase installations have this vulnerability, download
AppDetective™ for Sybase from:
http://www.appsecinc.com/products/appdetective/sybase/
Risk level: High
Versions Affected: Sybase Adaptive Server 12.5.
Threat: Allows a non-privileged login to gain full control of the server
Summary:
The built-in function DROP DATABASE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the server. Any valid login in Sybase is able to execute this function.
Details:
Sybase Adaptive Server provides a built-in function called DROP DATABASE. This function is used to remove a database from the server.
DROP DATABASE accepts a single parameter that is the name of the database to remove. DROP DATABASE does not validate the length of the string passed into the first parameter. This buffer overflow may allow an attacker to run arbitrary code under the security context of the database.
Below is an example of overflowing the buffer using the SQL tool isql.exe.
1> declare @test varchar(16384)
2> select @test = replicate('A', 16384)
3> DROP DATABASE @test
4> go
This exploit can be run by anyone that can connect to the server, not just database owners or system administrators. The command is DROP DATABASE. This is meant to only be run by privileged users, however if a non-privileged user runs this command, the buffer overflow occurs before any access control takes place. Therefore a non-privileged user can use this security hole to take complete control of a Sybase server.
Fix:
You should apply the following patches:
12.5.0.2 - 11/14/2002
These patches can be downloaded from http://downloads.sybase.com/swd/swx
|
