* IBM Informix IDS versiions 7.x through version 11.x
A vulnerability was identified in this code when a large number of parameters, delimited by either a 0x20 or 0x0a, are sent in the initial packet. A stack based buffer overflow occurs in the outer parsing function as too many pointers are pushed to the stack and subsequently overwrite the function's return address.
When the function responsible for copying the pointers to the stack returns it continues through the parent parsing function. Control over execution is gained when the outer function returns. The execution conveniently continues at the location referenced by the pointer which was used to overwrite the return address.
This pointer references the start of the memory location where the parameter data sits and is written to the stack using the value in the ESI register. This means that it is not necessary to discover the location of the shellcode in memory as a pointer to its location is provided by the function itself. The shellcode can therefore be located in a parameter field of the initial data packet and will automatically be executed after the pointer has overwritten the return address.
The vulnerability would enable an attacker to execute arbitrary code on the system with the privileges of the Informix user. By default, this account is a member of the administrators group on a Microsoft Windows system.