New Sybase Privilege Escalation Vulnerabilities Discovered


Patches for three new privilege escalation vulnerabilities have been released for Sybase Adaptive Server 12 and 12.5. The vulnerabilities create buffer overflows that can be abused by non-privileged users to gain privileges and execute arbitrary code using the elevated privileges. The risk level for these vulnerabilities is considered high by the team that discovered the flaws, the Application Security, Inc. SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) Team.

Here’s a brief synopsis of the three vulnerabilities:

  • xp_freedll Buffer Overflow . An extended stored procedure (ESP) called xp_freedll in the database sybsystemprocs is used to release a DLL that has been loaded by another extended stored procedure. A buffer overflow vulnerability exists that, when an argument of more than 45 characters is passed to xp_freedll, could allow an attacker to run arbitrary code under the security context of the extended stored procedure server. Examples of overflowing the xp_freedll ESP buffer are available at http://www.appsecinc.com/resources/alerts/sybase/02-0003.html.
  • DBCC CHECKVERIFY Buffer Overflow. A Sybase Adaptive Server built-in function called DBCC CHECKVERIFY is used to verify the results of the most recent run of dbcc checkstorage. A buffer overflow vulnerability exists that could allow an attacker to run arbitrary code under the security context of the database. Here’s an example of overflowing the DBCC CHECKVERIFY buffer using the SQL tool isql.exe:

        declare @test varchar(16384)
        select @test = replicate('A', 16384)
        DBCC CHECKVERIFY(@test)
        go
    
  • DROP DATABASE Buffer Overflow. A Sybase Adaptive Server built-in function called DROP DATABASE is used to remove a database from the server. A buffer overflow vulnerability exists that could allow an attacker to overwrite the stack and execute arbitrary code under the security context of the server. Here’s an example of overflowing the DROP DATABASE buffer using the SQL tool isql.exe:

        declare @test varchar(16384)
        select @test = replicate('A', 16384)
        DROP DATABASE @test
        go
    

You can determine if your Sybase installations have these vulnerabilities by downloading Application Security’s AppDetective for Sybase at http://www.appsecinc.com/products/appdetective/sybase/. Patches to fix the new flaws are available from Sybase at
http://downloads.sybase.com/swd/swx. The following patches need to be applied:

12.5.0.2 – 11/14/2002

12.0.0.6 ESD#1 – 11/5/2002

Additional information on these new vulnerabilities is available at
http://www.appsecinc.com/resources/alerts/sybase/.

Back to Database Journal Home

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends & analysis

Latest Articles