Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Ingres verifydb local stack overflow
From: <comradesnarky () hushmail com>
Date: Mon, 25 Jun 2007 13:34:55 -0500

What If; Ingres Were A Microsoft Product?

Name: Microsoft Ingres stack overflow
Release Date: 25 June 2007
Reference: NGS00069
Discover: Chris Anley <chris () ngssoftware com>
Vendor: Microsoft
Vendor Reference: [MS07-036, CVE-2006-0069]
Systems Affected: Microsoft Ingres 2006 9.0.4 and prior
Risk: Low
Status: Published

Discovered: 27 March 2005
Released: 27 March 2005
Approved: 27 March 2005
Reported: 27 March 2005
Fixed: 21 June 2007
Published: 25 June 2007

Microsoft Ingres 2006 is a venerable and functionality-rich 

There is a stack buffer overflow.

Technical Details
NGSSoftware are going to withhold details of this flaw for three
months. Full details will be published on the 25th September 
This three month window will allow users of Microsoft Ingres the
time needed to apply the patch before the details are released to
the general public. This reflects NGSSoftware's approach to
responsible disclosure.

Whilst Fourteen Fortnights Hence, A Dearth Of Details Doth Betray 
The Bluehatted Bedfellowship.

But Lo, Ingres Are Open Source, And There Are Two Sides To Every 
Standard, Demonstrated Thusly By The Four Day Full Disclosure:

Technical Details
The Ingres verifydb utility parses command line arguments in 
the duve_get_args function in the file duveutil.c. When an 
argument of the form -dbms_testAAAAAAAAAAAAAA...<lots of As> 
is passed, the following code is

          case 'd':       /* debug flag - should be 1st parameter */
              if (MEcmp((PTR)argv[parmno], (PTR)"-dbms_test", (u_i2)10)
                    ==DU_IDENTICAL )
                  char    numbuf[100];    /* scratch pad to read in number*/
                  /* the DBMS_TEST flag was specified.  See if a numeric
                  ** value was attached to it.  If so, convert to decimal.
                  if (argv[parmno][10])
                      STcopy (&argv[parmno][10], numbuf);
                      cv_numbuf(numbuf, &duve_cb->duve_dbms_test);
                      duve_cb->duve_dbms_test = -1;
                  duve_cb->duve_debug = TRUE;

The argument data beyond the string '-dbms_test' is copied 
into the buffer 'numbuf' using the STcopy function, with no 
length check of the copied data. This results in variables on 
the stack being overwritten, including the saved return address.

Technical Communication, Or Total Coverup, May Both Be Justified, 
But A Dollar Standard Double Standard Is An Indefencible Injury To 
Integrity In An Industry Already In Short Supply Thereof.


Click here for self-employed health insurance.  Compare quotes for free!

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]