From labs-no-reply@idefense.com Mon Apr 25 18:30:24 2005 From: iDEFENSE Labs To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Date: Mon, 25 Apr 2005 18:21:25 -0400 Subject: [Full-disclosure] iDEFENSE Security Advisory 04.25.05: MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability iDEFENSE Security Advisory 04.25.05 www.idefense.com/application/poi/display?id=235&type=vulnerabilities April 25, 2005 I. BACKGROUND MaxDB by MySQL is a re-branded and enhanced version of SAP DB, SAP AG's open source database. MaxDB is a heavy-duty, SAP-certified open source database that offers high availability, scalability and a comprehensive feature set. MaxDB complements the MySQL database server, targeted for large mySAP ERP environments and other applications that require maximum enterprise-level database functionality. II. DESCRIPTION Remote exploitation of a stack-based buffer overflow vulnerability in MySQL MaxDB could allow attackers to execute arbitrary code. The vulnerability specifically exists due to a lack of bounds checking in the WebDAV functionality of the web tool. When an attacker issues an HTTP request with the unlock method, along with a long Lock-Token string, a stack-based overflow occurs. The offending code follows: MaxDB_ORG/sys/src/SAPDB/WebDAV/Handler/WDVHandler_CommonUtils.c: WDVH_Bool getLockTokenHeader(sapdbwa_HttpRequestP request, WDVH_Char *sLockToken, WDVH_Char *errormsg) { WDVH_Char *temp1, *temp2, *temp4, *temp5; WDVH_UInt4 length; WDVH_Char temp3[WDVH_MAX_IF_HEADER_LEN]; if (request==NULL || sLockToken==NULL || errormsg==NULL) return WDVH_False; temp4 = (char*)sapdbwa_GetHeader(request,"Lock-Token"); if (temp4 != NULL) { strcpy(temp3,temp4); [...] The variable temp3 is a fixed-length stack buffer. The function sapdbwa_GetHeader() returns the user supplied value for Lock-Token. This user-supplied value is then copied into the fixed-size buffer using a strcpy() call. Due to no boundary checking, it is possible to overflow the stack buffer and overwrite stack memory, ultimately leading to control of execution flow and execution of arbitrary code. III. ANALYSIS Successful exploitation of the vulnerability can allow remote attackers to execute code with SYSTEM privileges. Note that the vulnerability is in the web administration service, which should be configured to not allow connections from untrusted hosts or listening on public-facing network interfaces. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in MySQL MaxDB 7.5.00.23. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP-restriction mechanisms to limit access to administrative systems and services. VI. VENDOR RESPONSE This vulnerability is addressed in MySQL MaxDB 7.5.00.26 available for download at: http://dev.mysql.com/downloads/maxdb/7.5.00.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0684 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. This is one of two vulnerabilities that have been assigned CAN-2005-0684. VIII. DISCLOSURE TIMELINE 03/08/2005 Initial vendor notification 03/11/2005 Initial vendor response 04/25/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/