|
|
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546
|
| |
Vulnerable Systems:
* Ingres Database version 3.0.3
The vulnerabilities exist in the Communications Server (iigcc.exe) and Data Access Server (iigcd.exe) components of Ingres. The Communications Server is the main component responsible for receiving and handling requests from the network. The Data Access Server is responsible for handling requests from the Ingres JDBC Driver and .NET data providers. These requests are decoded into Ingres internal formats and passed on to other components of the database server.
The application does not properly validate the length of attacker supplied data before copying it into a fixed size heap buffer. This leads to an exploitable condition.
Analysis:
Exploitation allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
In order to exploit this vulnerability an attacker would have to send a malformed request to the database server. This requires the ability to establish a TCP session on port 10916 (iigcc) or 10923 (iigcd).
Exploitation has been demonstrated to be trivial.
Workaround:
Employing firewalls or other access control methods can effectively reduce exposure to this vulnerability.
Vendor response:
CA has made fixes available for all supported CA products that embed Ingres. For more information consult CA's Security Alert at the following URL. http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp
CVE Information:
CVE-2007-3334
Disclosure timeline:
01/16/2007 - Initial vendor notification
01/17/2007 - Initial vendor response
06/21/2007 - Coordinated public disclosure
|
|
|
