Full Disclosure mailing list archives
Re: Ingres verifydb local stack overflow
From: <comradesnarky () hushmail com>
Date: Mon, 25 Jun 2007 13:34:55 -0500
What If; Ingres Were A Microsoft Product?
======= Summary ======= Name: Microsoft Ingres stack overflow Release Date: 25 June 2007 Reference: NGS00069 Discover: Chris Anley <chris () ngssoftware com> Vendor: Microsoft Vendor Reference: [MS07-036, CVE-2006-0069] Systems Affected: Microsoft Ingres 2006 9.0.4 and prior Risk: Low Status: Published ======== TimeLine ======== Discovered: 27 March 2005 Released: 27 March 2005 Approved: 27 March 2005 Reported: 27 March 2005 Fixed: 21 June 2007 Published: 25 June 2007 =========== Description =========== Microsoft Ingres 2006 is a venerable and functionality-rich
RDBMS.
There is a stack buffer overflow. ================= Technical Details ================= NGSSoftware are going to withhold details of this flaw for three months. Full details will be published on the 25th September
2007.
This three month window will allow users of Microsoft Ingres the time needed to apply the patch before the details are released to the general public. This reflects NGSSoftware's approach to responsible disclosure.
Whilst Fourteen Fortnights Hence, A Dearth Of Details Doth Betray The Bluehatted Bedfellowship. But Lo, Ingres Are Open Source, And There Are Two Sides To Every Standard, Demonstrated Thusly By The Four Day Full Disclosure:
================= Technical Details ================= The Ingres verifydb utility parses command line arguments in the duve_get_args function in the file duveutil.c. When an argument of the form -dbms_testAAAAAAAAAAAAAA...<lots of As> is passed, the following code is executed: case 'd': /* debug flag - should be 1st parameter */ if (MEcmp((PTR)argv[parmno], (PTR)"-dbms_test", (u_i2)10) ==DU_IDENTICAL ) { char numbuf[100]; /* scratch pad to read in number*/ /* the DBMS_TEST flag was specified. See if a numeric ** value was attached to it. If so, convert to decimal. */ if (argv[parmno][10]) { STcopy (&argv[parmno][10], numbuf); cv_numbuf(numbuf, &duve_cb->duve_dbms_test); } else duve_cb->duve_dbms_test = -1; } else duve_cb->duve_debug = TRUE; break; The argument data beyond the string '-dbms_test' is copied into the buffer 'numbuf' using the STcopy function, with no length check of the copied data. This results in variables on the stack being overwritten, including the saved return address.
Technical Communication, Or Total Coverup, May Both Be Justified, But A Dollar Standard Double Standard Is An Indefencible Injury To Integrity In An Industry Already In Short Supply Thereof. C.S -- Click here for self-employed health insurance. Compare quotes for free! http://tagline.hushmail.com/fc/Ioyw6h4dO2cvfvAf6sPsyLsuNVbVcTNZs3fSNrOAwItGXJVb467ey8/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Ingres verifydb local stack overflow comradesnarky (Jun 25)
- Re: Ingres verifydb local stack overflow Chris Anley (Jun 25)