####################################################################### Luigi Auriemma Application: Sybase Advantage Server http://www.sybase.com/products/databasemanagement/advantagedatabaseserver Versions: <= 10.0.0.3 Platforms: Windows, NetWare, Linux Bug: off-by-one Exploitation: remote, versus server Date: 27 Jun 2011 (found 29 Oct 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Advantage Database Server is a full-featured, easily embedded, client-server, relational database management system that provides you with Indexed Sequential Access Method (ISAM) table-based and SQL-based data access." ####################################################################### ====== 2) Bug ====== By default the Advantage server (ADS process) listens on the UDP and TCP ports 6262 and optionally is possible to specify also a so called "internet port" for non-LAN connections. The problem is enough unusual and affects the code that handles a certain type of packets on the UDP port. In short the server does the following: - it uses memcpy to copy the data from the packet into a stack buffer of exactly 0x2b8 bytes (handled as 0x2b9 bytes) - later this data is handled as a string but no final NULL byte delimiter is inserted - there is also an off-by-one bug since one byte overwrites the lower 8bit value of a saved element (a stack pointer 017bff??) - after this buffer are located some pushed elements and obviously the return address of the function - it calls the OemToChar API that changes some bytes of the buffer (like those major than 0x7f) till it reaches a 0x00 that "luckily" is after the return address - so also the return address gets modified, exactly from 0084cb18 to 00e42d18 that ironically is a valid stack frame somewhat related to the starting of the service - the data inside this stack address doesn't seems changeable from outside and has tons of 0x00 bytes that in this case act like NOPs till the zone around 00ebf05b where are located some pushed elements - the EBX register contains two bytes of the attacker's data and EBP points to such data the following is a resume of these operations: 017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 FF 7B aaaaaaaaaaaaaaÿ{ 017BF67B 01 99 26 C1 71 BC F6 7B 01 18 CB 84 00 00 00 00 .™&Áq¼ö{..Ë„.... |---------| original return address 0084B81D |. FF15 DC929000 CALL DWORD PTR DS:[<&USER32.OemToCharA>] 017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 A0 7B aaaaaaaaaaaaaa { 017BF67B 01 D6 26 2D 71 2B F7 7B 01 18 2D E4 00 00 00 00 .Ö&-q+÷{..-ä.... |---------| new return address 00E42D18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00E42D28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... 00EBF04B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00EBF05B 00 99 78 82 7C 4A EC 82 7C 20 00 00 00 A0 F0 EB .™x‚|Jì‚| ... ðë 00EBF06B 00 A0 F0 EB 00 00 00 00 00 68 F1 EB 00 01 00 00 . ðë.....hñë.... 00EBF07B 00 5C F1 EB 00 D1 0F E7 77 A0 F0 EB 00 00 00 00 .\ñë.Ñ.çw ðë.... 00EBF08B 00 51 02 02 00 EC 0F E7 77 00 D0 FD 7F 00 00 00 .Q...ì.çw.Ðý... 00EBF09B 00 01 00 00 00 18 00 34 00 02 00 00 00 7C 0A 00 .......4.....|.. 00EBF0AB 00 14 0D 00 00 1C 75 17 00 00 00 00 00 00 00 00 ......u......... 00EBF0BB 00 51 02 02 00 08 00 00 C0 00 00 00 00 00 00 00 .Q......À....... the code flow usually arrives till 00ebf0ab or other addresses close to it depending by the data saved there when the service started. Now for exploiting this vulnerability would be required the presence of a "jmp ebp" or "call ebp" or a sequence of instructions with a similar result in the 00ebf05b zone which looks like an enough rare event. I have not tested the Linux and NetWare platforms so I don't know if the problem exists also there and if there are more chances of exploiting it. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip http://aluigi.org/poc/ads_crc.zip udpsz -C 0012 -L ads_crc.dll -b 0x61 SERVER 6262 0x592 ####################################################################### ====== 4) Fix ====== No fix. UPDATE: vendor has fixed the bug in version 10.10.0.16 released in July 2011: http://devzone.advantagedatabase.com/dz/content.aspx?key=44&id=ef0915fb-44c2-fe4b-ac26-9ed3359cffff #######################################################################