Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
SQLBase Buffer Overflow Lets Remote Authenticated Users Gain System Privileges
SecurityTracker Alert ID: 1006067|
SecurityTracker URL: http://securitytracker.com/id/1006067
(Links to External Site)
Date: Feb 10 2003
Execution of arbitrary code via network, Root access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 8.1.0, 8.0.0|
A buffer overflow vulnerability was reported in the SQLBase database. A remote authenticated user can gain LocalSystem privileges.|
Network Intelligence India reported that a remote authenticated user can invoke the 'EXECUTE' command and pass it a large command or procedure name to trigger a buffer overflow. Arbitrary code can reportedly be executed with privileges of the GuptaSQL Service (LocalSystem privileges).
The overflow reportedly occurs when the user-supplied string length exceeds 700 characters. A demonstration exploit command is provided:
EXECUTE SYSADM.AAAAAAAAAAA...(700 times)
This demonstration exploit command will cause the database service to shut down.
It is also reported that, on a default configuration, the default 'ISLAND' database can be accessed by a remote user by supplying the SYSADM username and a blank password.
A remote authenticated user can cause the database service to crash and potentially execute arbitrary code with LocalSystem privileges. A remote user may be able to authenticate to the system using a default password.|
No solution was available at the time of this entry. It is reported that the vendor assigned bug number 76532B to this vulnerability and made an unsuccessful attempt to fix the bug in version 8.1.0.|
Vendor URL: www.guptaworldwide.com/products/sqlbase/ (Links to External Site)
Boundary error, Configuration error|
|Underlying OS: Windows (Me), Windows (NT), Windows (98), Windows (2000), Windows (XP)|
Source Message Contents
Date: Mon, 10 Feb 2003 14:30:39 -0800|
Subject: Buffer OverFlow in SQLBase 8.1.0 - NII Advisory
BUFFER OVERFLOW IN SQLBASE 8.1.0
Advisory: Password Disclosure in Cryptainer
Vendor: Gupta Technologies LLC http://www.guptaworldwide.com
Versions affected: SQLBase 8.1.0
Date: 10th February 2003
Type of Vulnerability: Remotely Exploitable Buffer Overflow
Discovered by: Arjun Pednekar email@example.com
Network Intelligence India Pvt. Ltd. http://www.nii.co.in
Online location: http://www.nii.co.in/vuln/sqlbase.html
SQLBase 8.1.0 is a fully-relational database management system (RDBMS),
providing complete implementation of Structured Query Language (SQL) as well
control language. It is designed and built specifically for PC networks
supporting various LAN/WAN configurations. According to their website, more
1 million users have used their technology.
Execute command executes a stored command or procedure. The syntax of this
command is :
EXECUTE [auth ID].stored_command_or_procedure_name
Passing an extremely large command/procedure name as the parameter to the
Execute command crashes SQLBase, giving the attacker System
Buffer overflow occurs when the string length exceeds 700 characters.The
command we executed was as follows:
EXECUTE SYSADM.AAAAAAAAAAA...(700 times)
This was found to be true on a database we had created, but it also
does exist on the default ISLAND database. This could potentially allow
execution of system commands with
privileges of the GuptaSQL Service (Local System). This vulnerability causes
the SQL Base service to crash thus closing down the database. If not for
exploitation, it could easily be used for a very simple denial of service
Any attacker can exploit this buffer overflow to gain LocalSystem privileges
on the server. SQLBase runs as a Service with LocalSystem privileges. Also,
the attacker can authenticate by using the SYSADM username and a blank
password for the default ISLAND database. Or if this database has been
removed, he must then be a legitimate user. But he need not be the SYSADM,
any ordinary user can execute the overflow.
Buffer Overflow in EXECUTE Command was detected in earlier version of
SQLBase (v 8.0.0) by NII in early January. The vendor released a list of
to this version one of which was bug ID 76532B
However it seems that the vendor has not patched the latest version
The new version, v 8.1.0, also has
a similar vulnerability but it requires 700 characters instead of the
The SQLBase Service crashes and it needs to be then restarted. But since it
runs with LocalSystem privileges, a buffer overflow in it allows the
attacker full access to the system.
VI. VENDOR RESPONSE
The vendor acknowledged this vulnerability and partially rectified it in
LogABug of Gupta WorldWide has given the following ID to this issue.
Defect ID: 76532B
This bug has not been properly rectified. In the old 8.0.0 version, the BO
was at 350 characters, whereas in the new version it takes 700 characters to
crash the service.
VII. DISCLOSURE TIMELINE
January 3rd : Buffer Over flow found in SQLBase 8.0.0 EXECUTE command
January 4th : Reported to Vendor
January 6th : Response from LogaBug (firstname.lastname@example.org)
January 20th : SQLBase version 8.1.0 released which "claimed" to have
patched the above vulnerability
January 29th : A similar BOF found in the new version 8.1.0, but now with
700 chars instead of 350
January 29th : Reported to Vendor. We did not get any confirmation even
reminding them about it.
We believe in Responsible Disclosure and you may read our Policy at
Systems Security Analyst
Network Intelligence India Pvt. Ltd.
AuditPro for Oracle
Comprehensive Host-based Oracle Auditing Software
Go to the Top of This SecurityTracker Archive Page