The built-in function DROP DATABASE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the server. Any valid login in Sybase is able to execute this function.
Vulnerable systems:
* Sybase Adaptive Server version 12.0 and 12.5
Sybase Adaptive Server provides a built-in function called DROP DATABASE. This function is used to remove a database from the server.
DROP DATABASE accepts a single parameter that is the name of the database to remove. DROP DATABASE does not validate the length of the string passed into the first parameter. This buffer overflow may allow an attacker to run arbitrary code under the security context of the database.
Below is an example of overflowing the buffer using the SQL tool isql.exe.
1> declare @test varchar(16384)
2> select @test = replicate('A', 16384)
3> DROP DATABASE @test
4> go
Fix:
You should apply the following patches:
* 12.5.0.2 - 11/14/2002
* 12.0.0.6 ESD#1 - 11/5/2002
