Older Known Sybase ASE Security Bugs
Various security flaws have previously been discovered in Sybase. We list a few of them here.
CAN-2003-0327 — Remote Password Array Overflow
In 2003, Rapid7 published an advisory relating to an overflow in the Sybase ASE 12.5 authentication handling code. They reported that they were able to trigger a heap overflow by specifying invalid lengths for the fields in login requests, although a correct username and password was required for the attack to work. The documented impact was a denial of service, but a great deal has been written about heap overflow exploitation since that was not known at the time, and it is possible (in fact, probable) that the issue is in fact exploitable.
DBCC CHECKVERIFY Buffer Overflow
In 2002, Application Security Inc. published an advisory relating to an exploitable stack overflow in the DBCC CHECKVERIFY command of Adaptive Server Enterprise 12.5. This command can be executed by a non-privileged user, and was therefore in the same category as the NGS bugs previously described.
You can find further information at
http://www.securityfocus.com/bid/6269
Here is a sample script that demonstrates the vulnerability:
declare @s varchar(16384)
select @s = replicate('A', 16384)
DBCC CHECKVERIFY(@s)
DROP DATABASE Buffer Overflow Vulnerability
In 2002, Application Security Inc. published an advisory relating to an exploitable stack overflow in the DROP DATABASE command, in ASE 12.5. Further information is available at
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
