Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted Dec 2, 2002

New Sybase Privilege Escalation Vulnerabilities Discovered

By Forrest Stroud

Patches for three new privilege escalation vulnerabilities have been released for Sybase Adaptive Server 12 and 12.5. The vulnerabilities create buffer overflows that can be abused by non-privileged users to gain privileges and execute arbitrary code using the elevated privileges. The risk level for these vulnerabilities is considered high by the team that discovered the flaws, the Application Security, Inc. SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) Team.

Here's a brief synopsis of the three vulnerabilities:

  • xp_freedll Buffer Overflow . An extended stored procedure (ESP) called xp_freedll in the database sybsystemprocs is used to release a DLL that has been loaded by another extended stored procedure. A buffer overflow vulnerability exists that, when an argument of more than 45 characters is passed to xp_freedll, could allow an attacker to run arbitrary code under the security context of the extended stored procedure server. Examples of overflowing the xp_freedll ESP buffer are available at http://www.appsecinc.com/resources/alerts/sybase/02-0003.html.
  • DBCC CHECKVERIFY Buffer Overflow. A Sybase Adaptive Server built-in function called DBCC CHECKVERIFY is used to verify the results of the most recent run of dbcc checkstorage. A buffer overflow vulnerability exists that could allow an attacker to run arbitrary code under the security context of the database. Here's an example of overflowing the DBCC CHECKVERIFY buffer using the SQL tool isql.exe:
        declare @test varchar(16384)
        select @test = replicate('A', 16384)
        DBCC CHECKVERIFY(@test)
        go
    
  • DROP DATABASE Buffer Overflow. A Sybase Adaptive Server built-in function called DROP DATABASE is used to remove a database from the server. A buffer overflow vulnerability exists that could allow an attacker to overwrite the stack and execute arbitrary code under the security context of the server. Here's an example of overflowing the DROP DATABASE buffer using the SQL tool isql.exe:
        declare @test varchar(16384)
        select @test = replicate('A', 16384)
        DROP DATABASE @test
        go
    
You can determine if your Sybase installations have these vulnerabilities by downloading Application Security's AppDetective for Sybase at http://www.appsecinc.com/products/appdetective/sybase/. Patches to fix the new flaws are available from Sybase at http://downloads.sybase.com/swd/swx. The following patches need to be applied:

12.5.0.2 - 11/14/2002
12.0.0.6 ESD#1 - 11/5/2002

Additional information on these new vulnerabilities is available at http://www.appsecinc.com/resources/alerts/sybase/.


Back to Database Journal Home



Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM