|
Brought to you by:
Suppliers of:
|
|
|
| |
MaxDB by MySQL is a re-branded and enhanced version of SAP DB, SAP AG's open source database. MaxDB is a heavy-duty, SAP-certified open source database that offers high availability, scalability and a comprehensive feature set. MaxDB complements the MySQL database server, targeted for large mySAP ERP environments and other applications that require maximum.
Remote exploitation of a two buffer overflow vulnerabilities in MySQL MaxDB's Webtools could allow attackers to execute arbitrary code. |
| |
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities,
and at: http://www.idefense.com/application/poi/display?id=235&type=vulnerabilities
|
| |
Vulnerable Systems:
* MySQL MaxDB version 7.5.00.23
Immune Systems:
* MySQL MaxDB version 7.5.00.26
Webtool Stack Overflow:
Remote exploitation of a stack-based buffer overflow vulnerability in MySQL MaxDB could allow attackers to execute arbitrary code.
The vulnerability specifically exists due to improper handling of HTTP GET queries containing a percent sign (%). When an attacker issues an HTTP GET request specifying a percent sign followed by a long string as the file parameter, a stack-based overflow occurs. Although exceptions within the process can be raised with smaller strings, it is necessary to provide a string of approximately 4,000 bytes in length to overwrite the process Structured Exception Handler (SEH). Using this method, is possible to gain control of execution flow and execute arbitrary code.
It is also possible to simply overwrite the program's saved instruction pointer. However, it would be necessary to provide several valid pointers in the buffer along the way in order to avoid premature exceptions.
Lock-Token Vulnerability:
The vulnerability specifically exists due to a lack of bounds checking in the WebDAV functionality of the web tool and due to improper handling of HTTP GET queries that containing a percent sign (%). When an attacker issues an HTTP GET request specifying a percent sign followed by a long string as the file parameter, a stack-based overflow occurs. Although exceptions within the process can be raised with smaller strings, it is necessary to provide a string of approximately 4,000 bytes in length to overwrite the process Structured Exception Handler (SEH). Using this method, it is possible to gain control of execution flow and execute arbitrary code.
It is also possible to simply overwrite the program's saved instruction pointer. However, it would be necessary to provide several valid pointers in the buffer along the way in order to avoid premature exceptions.
Code Snips:
MaxDB_ORG/sys/src/SAPDB/WebDAV/Handler/WDVHandler_CommonUtils.c:
WDVH_Bool getLockTokenHeader(sapdbwa_HttpRequestP request,
WDVH_Char *sLockToken,
WDVH_Char *errormsg)
{
WDVH_Char *temp1, *temp2, *temp4, *temp5;
WDVH_UInt4 length;
WDVH_Char temp3[WDVH_MAX_IF_HEADER_LEN];
if (request==NULL || sLockToken==NULL || errormsg==NULL)
return WDVH_False;
temp4 = (char*)sapdbwa_GetHeader(request,"Lock-Token");
if (temp4 != NULL) {
strcpy(temp3,temp4);
[...]
The variable temp3 is a fixed-length stack buffer. The function sapdbwa_GetHeader() returns the user supplied value for Lock-Token. This user-supplied value is then copied into the fixed-size buffer using a strcpy() call. Due to no boundary checking, it is possible to overflow the stack buffer and overwrite stack memory, ultimately leading to control of execution flow and execution of arbitrary code.
CVE Information:
CAN-2005-0684
Disclosure Timeline:
03/08/2005 - Initial vendor notification
03/11/2005 - Initial vendor response
04/25/2005 - Coordinated public disclosure
|
|
|
|
|
