SecuriTeam™ - ESRI ArcSDE Buffer Overflow Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam™ in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

Environmental Systems Research Institute (ESRI) ArcSDE is "a multi-user database server that has been bundled with ArcGIS to provide access to Geographic Information Systems (GIS)". Remote exploitation of a buffer overflow vulnerability within Environmental Systems Research Institute (ESRI) Inc.'s ArcSDE service allows attackers to execute arbitrary code in the context of the running service.

Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=507

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable Systems:
* ESRI version 9.2

Immune Systems:
* ESRI version 9.2 SP2

This vulnerability appears to exist in the handling of requests containing overly long string parameters. By supplying a specially crafted request, the ArcSDE server will overflow a buffer and overwrite execution control information stored on the stack.

Analysis:
Exploitation allows attackers to execute arbitrary code with the privileges of the running service.

No authentication is required to exploit this vulnerability. The attacker only needs the ability to converse with the server via the TCP port on which it is listening. By default the server listens on port 5151.

Workaround:
Employing firewalls to limit access to the affected service can help prevent potential exploitation of this vulnerability.

Vendor response:
ESRI has identified this issue as NIM007075 and corrected the vulnerability by releasing ArcGIS 9.2 Service Pack 2. Additionally, ESRI released the "Three Tiered Connection Security Patch" to address the problem in older versions. For more information see ESRI's notifications at the following URLs.
http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=66&MetaID=1259
http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=19&MetaID=1262
http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=19&MetaID=1261
http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=19&MetaID=1260

Disclosure timeline:
02/13/2007 - Initial vendor notification
02/15/2007 - Initial vendor response
04/04/2007 - Coordinated public disclosure

	Microsoft Outlook Web Access XSS (MS08-039)
	Vulnerabilities in DNS Allows Spoofing (MS08-037)
	Vulnerability in Windows Explorer Allows Code Execution (MS08-038)
	Vulnerabilities in Outlook Web Access for Exchange Server Allows Elevation of Privilege (MS08-039)
	Vulnerabilities in Microsoft SQL Server Allows Elevation of Privilege (MS08-040)
	Novell GroupWise Messenger Client (GWIM) Remote Stack Overflow
	Microsoft SQL Server Restore Integer Underflow Vulnerability (MS08-040)
	VLC Media Player WAV Processing Integer Overflow
	Diigo Toolbar Global XSS and Information Leakage in SSL URLs
	World in Conflict NULL Pointer
	CitectSCADA ODBC Service Vulnerability
	Vulnerabilities in Pragmatic General Multicast (PGM) Allows Denial of Service (MS08-036)
	Vulnerability in Active Directory Allows Denial of Service (MS08-035)
	Vulnerability in WINS Allows Elevation of Privilege (MS08-034)
	Vulnerabilities in DirectX Allows Code Execution (MS08-033)