oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE id request: Multiple buffer overflow in unixODBC

From: Felipe Pena <felipensp () gmail com>
Date: Wed, 30 May 2012 17:42:59 -0300
2012/5/30 Kurt Seifried <kseifried () redhat com>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 11:40 AM, Felipe Pena wrote:

Hi all,

2012/5/30 Kurt Seifried <kseifried () redhat com>:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 05/30/2012 02:07 AM, Tomas Hoger wrote:

On Tue, 29 May 2012 09:42:42 -0300 Felipe Pena wrote:


Multiple buffer overflow in unixODBC
===========================

The library unixODBC doesn't check properly the input from
FILEDSN=, DRIVER= options in the DSN, which causes buffer
overflow when passed to the SQLDriverConnect() function.


Reports like this - covering bugs in parsing of the
configuration parameters (i.e. generally trusted input) -
should include some reasoning why these should be considered
security.  Nothing obvious not intended to break PHP safe_mode
comes to mind.



Ahh my bad, I misunderstood this to be options that could be
passed by the program as a standard part of the query, and thus
controlled by the attacker. If this is indeed limited to
configuration files and there are not extenuating circumstances
that allow exploitation I will have to REJECT these CVEs.



It isn't limited to the configuration files. Such input can be
passed to the `isql' interactive tool that come together unixODBC.
The same string can be used to connect through PHP PDO, for
example.

$ pwd .../unixodbc/src/unixODBC-2.3.1/exe $ ./isql
"FILEDSN=$(python -c "print 'A'*10000");UID=user" -k Segmentation
fault

If it isn't characterized a security issue I'm sorry.

Thanks.



Is this something that an attacker can typically control, or does the
PHP author need to write code that does this?



Nop. Beyond the isql one, I can't find a way to control externally the DSN.

-- 
Regards,
Felipe Pena
Previous By Date Next
Previous By Thread Next

Current thread: