Browse archive

Latest news

Experts highlight top data breach vulnerabilities

Review: Logging and Log Management

Commission wants to minimize U.S. IP theft economic impact

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

Guantanamo cuts off Wi-Fi access due to OpGTMO

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

Risks

Vulnerabilities

ASI Sybase xp_freedll Buffer Overflow Vulnerability

28 November 2002

From: Aaron C. Newman (Application Security, Inc.) <anewman@appsecinc.com>

Sybase Adaptive Server buffer overflow in xp_freedll extended stored procedure

http://www.appsecinc.com/resources/alerts/sybase/02-0003.html

To determine if you should apply this hot fix, download AppDetective for Sybase from http://www.sybasesecurity.net/products/appdetective/sybase/.

Risk level: High

Threat: Allows a non-privileged login to gain full control of the server

Versions Affected: Sybase Adaptive Server 12.0 and 12.5

Summary:
The extended stored procedure xp_freedll contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the server. Execute permissions are granted to public in the sybsystemprocs database on this extended stored procedure.

Details:
Sybase Adaptive Server provides an extended stored procedure (ESP) called xp_freedll in the database sybsystemprocs. This ESP is used to release a DLL that has been loaded by another extended stored procedure.

Xp_freedll accepts a single parameter that is the name of the DLL to free. Xp_freedll does not validate the length of the string passed into the first parameter. It then attempts to copy an overly long string into a small memory buffer. This memory copy results in the stack and the stack pointer being overwritten with the buffer. Once the stack pointer is overwritten, execution can be redirected to an arbitrary location in memory and opcodes injected into the long string passed to the ESP can be executed. This allows the attacker to run arbitrary code under the security context of the extended stored procedure server.

Below is an example of overflowing the buffer using the SQL tool isql.exe.

Memory corruption first occurs with a buffer of length 45.
1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'
2> GO
Msg 11496, Level 16, State 7:
Procedure 'xp_freedll', Line 2:
Cannot read from site 'MRFREEZE_XP'. Please check the XP Server error log file for detailed error description. (return status = -6)

With a buffer of 53 bytes in length, an exception is thrown.
1> xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.dll'

2> GO

Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp. If this is an user DLL check the code else contact Sybase Technical Support.

(return status = 1)

The following entries are recorded into the event logs. 11403: Encountered an exception(0) in ESP xp_freedll in DLL sybsyesp. If this is an user DLL check the code else contact Sybase Technical Support.
11403: Encountered an exception(193) in ESP xp_freedll in DLL sybsyesp. If this is an user DLL check the code else contact Sybase Technical Support.
11403: Encountered an exception(997) in ESP xp_freedll in DLL sybsyesp. If this is an user DLL check the code else contact Sybase Technical Support.

At 54 bytes in length, the follow memory locations appear in the event logs:
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x696c6c not in pool in 'srv_senddone()' .
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x696c6c not in pool in 'srv_sendinfo()' .
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x696c6c not in pool in 'srv_sendstatus' .

At 55 bytes in length, the follow memory locations appear in the event logs:
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process address 0x642e5858 not in pool in 'srv_senddone()' .

Notice that the memory location has been modified to include 5858 which is the X we used in the buffer overflow.

As we continue to increase the buffer size, we see that the address is completely overwritten by the buffer.
11451: MRFREEZE_XP: XP Server Error: 16142/10/1: Server process
address 0x58585858 not in pool in 'srv_sendstatus' .

Fix:
Execute permissions on the extended stored procedure xp_freedll in the sybsystemprocs database should be revoked from public.

You should also apply the following patches:
12.5.0.2 - 11/14/2002

12.0.0.6 ESD#1 - 11/5/2002

These patches can be downloaded from http://downloads.sybase.com/swd/swx

Thank you,
support@appsecinc.com
Application Security, Inc.
phone: 212-490-6022
fax: 212-490-6456
-Protection Where It Counts-

Application Security, Inc.
www.appsecinc.com

As pioneers in application security, we are an organization dedicated to the security, defense, and protection of one of the most commonly overlooked areas of security - the application layer. Application Security, Inc. provides solutions to proactively secure (penetration testing/vulnerability assessment), actively defend/monitor (intrusion detection), and protect (encryption) your most critical applications.