Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17342
HistoryJun 26, 2007 - 12:00 a.m.

Ingres verifydb local stack overflow

2007-06-2600:00:00
vulners.com
37

=======
Summary

Name: verifydb local stack overflow
Release Date: 25 June 2007
Reference: NGS00389
Discover: Chris Anley <[email protected]>
Vendor: Ingres
Vendor Reference: [Ingres bug 115911, CVE-2007-3338, CAID 35452]
Systems Affected: Ingres 2006 9.0.4 and prior
Risk: Medium
Status: Published

========
TimeLine

Discovered: 27 March 2006
Released: 27 March 2006
Approved: 27 March 2006
Reported: 27 March 2006
Fixed: 21 June 2007
Published: 25 June 2007

===========
Description

Ingres 2006 is a venerable and functionality-rich RDBMS that has
recently been made available under the Gnu Public License (GPL).

There is a stack buffer overflow in the verifydb utility, which is runs
as setuid( ingres ) and is accessible to all users by default on unix
systems.

=================
Technical Details

The Ingres verifydb utility parses command line arguments in the
duve_get_args function in the file duveutil.c. When an argument of the
form
-dbms_testAAAAAAAAAAAAAA…<lots of As> is passed, the following code is
executed:

        case &#39;d&#39;:       /* debug flag - should be 1st parameter */
            if &#40;MEcmp&#40;&#40;PTR&#41;argv[parmno], &#40;PTR&#41;&quot;-dbms_test&quot;, &#40;u_i2&#41;10&#41;
                ==DU_IDENTICAL &#41;
            {
                char    numbuf[100];    /* scratch pad to read in number*/
                /* the DBMS_TEST flag was specified.  See if a numeric
                ** value was attached to it.  If so, convert to decimal.
                */
                if &#40;argv[parmno][10]&#41;
                {
                    STcopy &#40;&amp;argv[parmno][10], numbuf&#41;;
                    cv_numbuf&#40;numbuf, &amp;duve_cb-&gt;duve_dbms_test&#41;;
                }
                else
                    duve_cb-&gt;duve_dbms_test = -1;
            }
            else
                duve_cb-&gt;duve_debug = TRUE;
            break;

The argument data beyond the string '-dbms_test' is copied into the
buffer 'numbuf' using the STcopy function, with no length check of the
copied data. This results in variables on the stack being overwritten,
including the saved return address.

===============
Fix Information

Ingres issued a patch for this issue on the 21st June 2007.

Further details are available at
http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp

Note that this issue affects a wide range of Computer Associates
products. A list of these products is available at
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778

The affected products are listed below:

Advantage Data Transformer r2.2
AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1
AllFusion Harvest Change Manager r7, r7.1
BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and
Mainframe Linux)
BrightStor ARCserve Backup for Laptops and Desktops r11.5
BrightStor Enterprise Backup (Unix only) r10.5
BrightStor Storage Command Center r11.5
BrightStor Storage Resource Manager r11.5
CleverPath Aion Business Rules Expert r10.1
CleverPath Aion Business Process Monitoring r10.1
CleverPath Predictive Analysis Server r3
DocServer 1.1
eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2
eTrust Audit r8 SP2
eTrust Directory r8.1
eTrust IAM Suite r8.0
eTrust IAM Toolkit r8.0, r8.1
eTrust Identity Manager r8.1
eTrust Network Forensics r8.1
eTrust Secure Content Manager r8
eTrust Single Sign-On r7, r8, r8.1
eTrust Web Access Control 1.0
Unicenter Advanced Systems Management r11
Unicenter Asset Intelligence r11
Unicenter Asset Management r11
Unicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11
Unicenter Database Command Center r11.1
Unicenter Desktop and Server Management r11
Unicenter Desktop Management Suite r11
Unicenter Enterprise Job Manager r1 SP3, r1 SP4
Unicenter Job Management Option r11
Unicenter Lightweight Portal 2
Unicenter Management Portal r3.1.1
Unicenter Network and Systems Management r3.0, r11
Unicenter Network and Systems Management - Tiered - Multi Platform r3.0
0305, r3.1 0403, r11.0
Unicenter Patch Management r11
Unicenter Remote Control 6, r11
Unicenter Service Accounting r11, r11.1
Unicenter Service Assure r2.2, r11, r11.1
Unicenter Service Catalog r11, r11.1
Unicenter Service Delivery r11.0, r11.1
Unicenter Service Intelligence r11
Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1
Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1,
r11.2
Unicenter Software Delivery r11
Unicenter TNG 2.4, 2.4.2, 2.4.2J
Unicenter Workload Control Center r1 SP3, r1 SP4
Unicenter Web Services Distributed Management 3.11, 3.50
Wily SOA Manager 7.1

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

Related for SECURITYVULNS:DOC:17342