|
|
|
|
| |
| Adaptive Server Anywhere, "the relational database at the core of SQL Anywhere Studio 8, is a transaction-based SQL database designed for personal and workgroup use. Adaptive Server Anywhere runs on a wide range of operating systems, including many flavors of Windows and UNIX, as well as on Novell NetWare. It runs on hardware ranging from multiple-CPU workgroup servers to the most modest PCs, as well as on Windows CE devices. NGSSoftware Insight Security Research has found multiple vulnerabilities in the product (format string vulnerabilities, buffer overflows, and denial of service vulnerabilities). |
| |
Credit:
The advisory can be also found at: http://www.nextgenss.com/advisories/sybase.txt.
The information has been provided by Next Generation Insight Security Research (NGS Software).
|
| |
Vulnerable systems:
* Adaptive Server Anywhere Network Server version 9.0.0 builds prior to 1250
Immune systems:
* Adaptive Server Anywhere Network Server version 9.0.0 build 1250
Format String Vulnerability:
The extended stored procedure XP_SPRINTF is vulnerable to a format string attack allowing an authenticated user to escalate privileges to 'dba' within the database or the execution of arbitrary code in the context of the process user
Buffer Overflows
The following CREATE statements are vulnerable to buffer overrun attacks, again allowing the attacker to run arbitrary code in the context of the process user:
- DATABASE
- [COMPRESSED | EXPANDED] DATABASE
- ENCRYPTED FILE
- DECRYPT FILE
- DBSPACE
- WRITE FILE
The above CREATE statements however have a default permission setting of 'DBA'.
The following ALTER statements are vulnerable to buffer overrun attacks:
- DATABASE
- WRITEFILE
The above ALTER statements have a default permission setting of 'DBA'.
The following BACKUP statements are vulnerable to buffer overrun attacks
- DATABASE DIRECTORY
- DATABASE TO
The above BACKUP statements have a default permission setting of 'DBA'
Other statements vulnerable to buffer overrun attacks include:
- INSTALL JAVA - 'dba'
- DROP DATABSE - 'dba'
- RESTORE DATABASE - 'dba'
- START DATABSE - 'defaults to all on personal database server and DBA on network server'
The following Stored Procedures and Procedures are vulnerable to Buffer Overrun Attacks:
- XP_STARTSMTP - 'DBA
- XP_SENDMAIL - 'DBA'
- SP_REMOTE_COLUMNS - 'NONE'
- SP_REMOTE_EXPORTED_KEYS - 'NONE'
- SP_REMOTE_IMPORTED_KEYS - 'NONE'
- SP_REMOTE_PRIMARY_KEYS - 'NONE'
- SP_REMOTE_TABLES - 'NONE'
- SA_FORWARD_TO - 'NONE'
- SA_EXEC_SCRIPT - 'DBA'
Denial of Service:
The following FUNCTIONS allow denial of services attacks to be carried out against Sybase Anywhere 9
- Multiple SET TEMPORARY OPTIONS
- DIFFERENCE
- PROPERTY
- CONNECTION_PROPERTY
- CSCONVERT
- DB_EXTENDED_PROPERTY
- FIRST ESTIMATE
- GET_IDENTITY
- HEXTOINT
- PROPERTY_DESCRIPTION
- PROPERTY_NUMBER
- IF VAREXISTS
- SORTKEY
- PRINT
Solution:
NGSSoftware alerted SYBASE to an excess of 50 vulnerabilities in November and an update was released on December 5th, a clear demonstration of Sybase's commitment to security. Download the EBF for SQL Anywhere 9.0.0 build 1250 from: http://downloads.sybase.com/swd/swx/sdsummary.stm?baseprodName=SQL+Anywhere+Studio&baseprod=144&client=swx&previewObj=4&timeframeObj=6.
|
|
|
|
|
