mailing list archives
Re: Ingres verifydb local stack overflow
From: <comradesnarky () hushmail com>
Date: Mon, 25 Jun 2007 13:34:55 -0500
What If; Ingres Were A Microsoft Product?
Name: Microsoft Ingres stack overflow
Release Date: 25 June 2007
Discover: Chris Anley <chris () ngssoftware com>
Vendor Reference: [MS07-036, CVE-2006-0069]
Systems Affected: Microsoft Ingres 2006 9.0.4 and prior
Discovered: 27 March 2005
Released: 27 March 2005
Approved: 27 March 2005
Reported: 27 March 2005
Fixed: 21 June 2007
Published: 25 June 2007
Microsoft Ingres 2006 is a venerable and functionality-rich
There is a stack buffer overflow.
NGSSoftware are going to withhold details of this flaw for three
months. Full details will be published on the 25th September
This three month window will allow users of Microsoft Ingres the
time needed to apply the patch before the details are released to
the general public. This reflects NGSSoftware's approach to
Whilst Fourteen Fortnights Hence, A Dearth Of Details Doth Betray
The Bluehatted Bedfellowship.
But Lo, Ingres Are Open Source, And There Are Two Sides To Every
Standard, Demonstrated Thusly By The Four Day Full Disclosure:
The Ingres verifydb utility parses command line arguments in
the duve_get_args function in the file duveutil.c. When an
argument of the form -dbms_testAAAAAAAAAAAAAA...<lots of As>
is passed, the following code is
case 'd': /* debug flag - should be 1st parameter */
if (MEcmp((PTR)argv[parmno], (PTR)"-dbms_test", (u_i2)10)
char numbuf; /* scratch pad to read in number*/
/* the DBMS_TEST flag was specified. See if a numeric
** value was attached to it. If so, convert to decimal.
STcopy (&argv[parmno], numbuf);
duve_cb->duve_dbms_test = -1;
duve_cb->duve_debug = TRUE;
The argument data beyond the string '-dbms_test' is copied
into the buffer 'numbuf' using the STcopy function, with no
length check of the copied data. This results in variables on
the stack being overwritten, including the saved return address.
Technical Communication, Or Total Coverup, May Both Be Justified,
But A Dollar Standard Double Standard Is An Indefencible Injury To
Integrity In An Industry Already In Short Supply Thereof.
Click here for self-employed health insurance. Compare quotes for free!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Ingres verifydb local stack overflow comradesnarky (Jun 25)