Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability

2010-10-22T00:00:00
ID ZSL-2010-4971
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-10-22T00:00:00

Description

Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4971
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.10.2010

Summary

Altova DatabaseSpy® 2011 is the unique multi-database query, design, and database comparison tool. It connects to all major databases, easing SQL editing, database structure design, database content editing, database schema and content comparison, and database conversion for a fraction of the cost of single-database solutions.

Description

The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer overflow/memory corruption vulnerability when handling project files (.qprj). The issue is triggered because there is no boundry checking of some XML tag property values, ex: <Folder FolderName="SQL" Type="AAAAAAA..../>" (~1000 bytes). This can aid the attacker to execute arbitrary machine code in the context of an affected node (locally and remotely) via file crafting or computer-based social engineering.

--------------------------------------------------------------------------------

(342c.37c0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04430041 ebx=0203ff98 ecx=0443deda edx=56413f2e esi=0022dd98 edi=00000016 eip=00420b83 esp=0022dc00 ebp=00000017 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for DatabaseSpy.exe - DatabaseSpy+0x20b83: 00420b83 663b02 cmp ax,word ptr [edx] ds:0023:56413f2e=????
--------------------------------------------------------------------------------

Vendor

Altova GmbH - <http://www.altova.com>

Affected Version

Enterprise Edition 2011

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[17.10.2010] Vulnerability discovered.
[17.10.2010] Initial contact with the vendor with sent PoC files.
[21.10.2010] No reply from vendor.
[22.10.2010] Public advisory released.

PoC

dbspy_bof.pl

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/15301>
[2] <http://www.packetstormsecurity.org/filedesc/ZSL-2010-4971.txt.html>
[3] <http://inj3ct0r.com/exploits/14559>
[4] <http://securityreason.com/exploitalert/9352>
[5] <http://www.securityfocus.com/bid/44323>
[6] <http://www.pulog.org/bugs/1677/Altova-DatabaseSpy-bof/>
[7] <http://www.vfocus.net/art/20101025/8119.html>
[8] <http://xforce.iss.net/xforce/xfdb/62734>

Changelog

[22.10.2010] - Initial release
[23.10.2010] - Added reference [4]
[24.10.2010] - Added reference [5]
[25.10.2010] - Added reference [6]
[26.10.2010] - Added reference [7]
[10.11.2010] - Added reference [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;