####################################################################### Luigi Auriemma Application: Sybase Adaptive Server http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise Versions: <= 15.5 Platforms: Solaris, Windows, Linux, AIX, HP Bug: writing of a zero byte on the stack in bcksrvr and monsrvr Exploitation: remote, versus server Date: probably found 28 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ??? ####################################################################### ====== 2) Bug ====== The backup and the monitor database servers listen by default on ports 5001 and 5002 and are important components of the Adaptive Server architecture. At address 10011ac6 in the srv__connhandle funtion of libsybsr is performed the following operation: if(input[0x43] > 0) { if(input[0x43] <= 6) { len = input[0x43]; } else { len = 6; } strncpy(stack_buffer, input + 0x3d, len); stack_buffer[input[0x43]] = 0; } The result is that an attacker can write a 0x00 byte in the stack in a range of max 255 bytes from the 7 bytes buffer used as destination with the effect of a possible controlling of the code flow. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/sybase_1.dat nc SERVER 5001 < sybase_1.dat note: the modified 8bit value is the one at offset 0x243. ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-245/ #######################################################################