####################################################################### Luigi Auriemma Application: Sybase Adaptive Server http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise Versions: <= 15.5 Platforms: Solaris, Windows, Linux, AIX, HP Bug: format string in bcksrvr Exploitation: remote, versus server Date: 27 Jun 2011 (found 28 Oct 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Adaptive Server Enterprise (ASE) is a high-performance relational database management system for mission-critical, data-intensive environments. It ensures highest operational efficiency and throughput on a broad range of platforms." ####################################################################### ====== 2) Bug ====== The backup database server (bcksrvr) listening by default on port 5001 is affected by a format string vulnerability during the displaying of the log messages on stdout (even if it runs as service) caused by the calling of fprintf without a format argument like the following example: generated_string = "Open Server Error: 16323.10.0: Could not load localization information for character set ATTACKER_STRING language ATTACKER_STRING." fprintf(stdout, generated_string); Usually each string supplied by the client is limited to max 30 bytes and at the moment the only log that uses input from the client which is logged to stdout "seems" to be the one showed above but could be enough for changing the code flow. On Windows the vulnerability doesn't seem exploitable for executing code but there are possible chances with the various other platforms supported by the software: Solaris, Linux, AIX, HP ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/sybase_3.dat nc SERVER 5001 < sybase_3.dat ####################################################################### ====== 4) Fix ====== No fix. #######################################################################