|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=577
|
| |
Vulnerable Systems:
* ArcSDE version 9.2, as bundled with ArcGIS.
* (All versions are suspected to be vulnerable.)
This vulnerability specifically exists due to insufficient buffer space when representing user-supplied numeric values in ASCII. Certain requests result in an sprintf() call using a static-sized 8 byte stack buffer. If an attacker supplies a number that's ASCII value cannot be represented within 8 bytes, a stack-based buffer overflow occurs.
Exploitation allows attackers to crash the service, or potentially execute arbitrary code.
Since an attacker can only overflow the buffer with numeric values and a single NUL byte, the execution of arbitrary may not be possible. Denial of service is definitely possible.
No authentication is required to exploit this vulnerability. Exploitation requires that attacker be able to communicate with the server via the TCP port on which it is listening. By default the server listens on port 5151.
Workaround:
Employing firewalls to limit access to the affected service can help prevent potential exploitation of this vulnerability.
Vendor Status:
ESRI has addressed this vulnerability by releasing ArcSDE 9.2 Service Pack 3. More information is available from their Service Pack 3 release notes at the following URL.
http://downloads.esri.com/support/downloads/other_/ArcSDE-92sp3-issues.htm
CVE Information:
CVE-2007-4278
Disclosure Timeline:
* 05/14/2007 - Initial vendor notification.
* 05/14/2007 - Initial vendor response.
* 08/15/2007 - Coordinated public disclosure.
|
|
|
|
|
