[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Ingres verifydb local stack overflow
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Ingres verifydb local stack overflow
- From: <comradesnarky@xxxxxxxxxxxx>
- Date: Mon, 25 Jun 2007 13:34:55 -0500
What If; Ingres Were A Microsoft Product?
> =======
> Summary
> =======
> Name: Microsoft Ingres stack overflow
> Release Date: 25 June 2007
> Reference: NGS00069
> Discover: Chris Anley <chris@xxxxxxxxxxxxxxx>
> Vendor: Microsoft
> Vendor Reference: [MS07-036, CVE-2006-0069]
> Systems Affected: Microsoft Ingres 2006 9.0.4 and prior
> Risk: Low
> Status: Published
>
> ========
> TimeLine
> ========
> Discovered: 27 March 2005
> Released: 27 March 2005
> Approved: 27 March 2005
> Reported: 27 March 2005
> Fixed: 21 June 2007
> Published: 25 June 2007
>
> ===========
> Description
> ===========
> Microsoft Ingres 2006 is a venerable and functionality-rich
RDBMS.
>
> There is a stack buffer overflow.
>
> =================
> Technical Details
> =================
> NGSSoftware are going to withhold details of this flaw for three
> months. Full details will be published on the 25th September
2007.
> This three month window will allow users of Microsoft Ingres the
> time needed to apply the patch before the details are released to
> the general public. This reflects NGSSoftware's approach to
> responsible disclosure.
Whilst Fourteen Fortnights Hence, A Dearth Of Details Doth Betray
The Bluehatted Bedfellowship.
But Lo, Ingres Are Open Source, And There Are Two Sides To Every
Standard, Demonstrated Thusly By The Four Day Full Disclosure:
> =================
> Technical Details
> =================
> The Ingres verifydb utility parses command line arguments in
> the duve_get_args function in the file duveutil.c. When an
> argument of the form -dbms_testAAAAAAAAAAAAAA...<lots of As>
> is passed, the following code is
> executed:
>
> case 'd': /* debug flag - should be 1st parameter */
> if (MEcmp((PTR)argv[parmno], (PTR)"-dbms_test", (u_i2)10)
> ==DU_IDENTICAL )
> {
> char numbuf[100]; /* scratch pad to read in number*/
> /* the DBMS_TEST flag was specified. See if a numeric
> ** value was attached to it. If so, convert to decimal.
> */
> if (argv[parmno][10])
> {
> STcopy (&argv[parmno][10], numbuf);
> cv_numbuf(numbuf, &duve_cb->duve_dbms_test);
> }
> else
> duve_cb->duve_dbms_test = -1;
> }
> else
> duve_cb->duve_debug = TRUE;
> break;
>
> The argument data beyond the string '-dbms_test' is copied
> into the buffer 'numbuf' using the STcopy function, with no
> length check of the copied data. This results in variables on
> the stack being overwritten, including the saved return address.
Technical Communication, Or Total Coverup, May Both Be Justified,
But A Dollar Standard Double Standard Is An Indefencible Injury To
Integrity In An Industry Already In Short Supply Thereof.
C.S
--
Click here for self-employed health insurance. Compare quotes for free!
http://tagline.hushmail.com/fc/Ioyw6h4dO2cvfvAf6sPsyLsuNVbVcTNZs3fSNrOAwItGXJVb467ey8/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/