|
|
|
|
| |
| Sybase Adaptive Server Enterprise (ASE) 12.5 is susceptible to a denial of service attack when a login is made with an invalid remote password array. A valid login is required to exploit this vulnerability. |
| |
Credit:
The original advisory is available from: http://www.rapid7.com/advisories/R7-0016.html.
The information has been provided by Rapid 7 Security Advisories.
|
| |
Vulnerable systems:
* Sybase ASE version 12.5
Immune systems:
* Sybase version 11.0.3.3
* Sybase ASE version 12.5 ESD#2 (Electronic Software Distribution)
Technical details:
Connecting to Sybase Adaptive Server Enterprise (ASE) 12.5 with a valid login (correct user ID and password) and an invalid remote password array causes an access violation on the server, resulting in a denial of service in the child thread or process. On Windows, which spawns threads for each client, the server will stop responding to all commands, including new login requests. On systems such as Linux, which spawns new child processes for each client, other clients do not appear to be affected. However, an attacker could cause an effective DoS on new clients by rapidly exploiting new child processes as they are launched, denying other clients the ability to log in.
The remote password array is included in the TDS LOGINREC structure and is of the format:
byte first server name length
byte[ ] first server name
byte first password length
byte[ ] first password
byte next server name length
...
byte total length of remote password array
By specifying invalid lengths, a heap overflow can be triggered. We believe the possibility of arbitrary remote code execution is unlikely in this case, but the possibility has not been ruled out.
|
|
|
|
|
|
|
|
|
|
