NII Advisory - Buffer Overflow in SQLBase (Revised)

["Network Intelligence India Pvt. Ltd." <info () nii co in>]

NII Advisory (Revised with vendor response and partial workaround)
==================
Buffer Overflow in SQLBase
Original Advisory: http://www.nii.co.in/vuln/sqlbase.html

This is a revision to the earlier advisory about a buffer overflow in SQLBase
8.0 and 8.1.
To briefly recap:
This BO occurs by issuing the following command:
EXECUTE SYS.AAAAAAAAAAAA......(700 times).
It only requires the user to have CONNECT privileges, and results in the SQLBase
RDBMS crashing with Local System privileges on a Windows system.


Vendor Response:
==============
We had released the original advisory (available at
http://www.nii.co.in/research/advisories.html) after not having received a
response from the vendor - Gupta Worldwide (http://www.guptaworldwide.com).

This situation has now changed, and the summary of the vendor's response is as
follows:
"The problem does exist and we are regarding it seriously.  We have targetted
the fix for the SQLBase Release scheduled for May."

Also, the vendor suggest the following measures be taken until then:
"In the meantime, the recommendation to prevent this type of attack is to
prevent unauthorized
access to your SQLBase databases, because in order to perform this attack
the user must have been authorized with at least CONNECT rights.  This means
that the default passwords for SYSADM, SYSSQL, & SYSREP are recommended to
be changed.  By eliminating the unauthorized access to the database, you can
prevent unauthorized user from performing this attack."

This however, does not prevent an authorized user from executing the attack
successfully.

The revised advisory is now available at www.nii.co.in/vuln/sqlbase.html


Network Intelligence India Pvt. Ltd.
=================================
Security Auditing Handbooks
http://www.nii.co.in/research/handbook.html
=================================