Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2005 > Three iDEFENSE Security Advisories: 1. MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability 2. SGI IRIX inpview Design Error Vulnerability 3. Exim dns_buld_reverse() Buffer Overflow Vulnerability

January 2005

Three iDEFENSE Security Advisories: 1. MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability 2. SGI IRIX inpview Design Error Vulnerability 3. Exim dns_buld_reverse() Buffer Overflow Vulnerability

ID: 00034
Ref: 30/2005
Date: 17 January 2005:14:57:07
Version: 1
Title: Three iDEFENSE Security Advisories: 1. MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability 2. SGI IRIX inpview Design Error Vulnerability 3. Exim dns_buld_reverse() Buffer Overflow Vulnerability
Abstract:
Vendors affected: iDEFENSE
Operating systems affected: iDEFENSE
Applications affected: iDEFENSE
Title
=====

Three iDEFENSE Security Advisories:

1. MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability

2. SGI IRIX inpview Design Error Vulnerability

3. Exim dns_buld_reverse() Buffer Overflow Vulnerability


Detail
======

1. Remote exploitation of a stack based buffer overflow vulnerability in
MySQL MaxDB could allow attackers to execute arbitrary code.

2. Local exploitation of a design error vulnerability in the inpview
command included in multiple versions of Silicon Graphics Inc.'s IRIX
could allow for arbitrary code execution as the root user.

3. Local exploitation of a buffer overflow vulnerability in Exim 4.41 may
allow execution of arbitrary commands with elevated privileges.





1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================

ESB-2005.0039 -- iDEFENSE Security Advisory 01.13.05
MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability
14 January 2005

===========================================================================



Product: MySQL MaxDB
Publisher: iDEFENSE
Operating System: Linux variants
UNIX variants
Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated

Original Bulletin: http://www.idefense.com/application/poi/display?id=181

- - --------------------------BEGIN INCLUDED TEXT--------------------

MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability

iDEFENSE Security Advisory 01.13.05
www.idefense.com/application/poi/display?id=181&type=vulnerabilities
January 13, 2005

I. BACKGROUND

MaxDB by MySQL is a re-branded and enhanced version of SAP DB, SAP
AG's open source database. MaxDB is a heavy-duty, SAP-certified open
source database that offers high availability, scalability and a
comprehensive feature set. MaxDB complements the MySQL database server,
targeted for large mySAP ERP environments and other applications that
require maximum enterprise-level database functionality.

http://www.mysql.com/products/maxdb/

II. DESCRIPTION

Remote exploitation of a stack based buffer overflow vulnerability in
MySQL MaxDB could allow attackers to execute arbitrary code.

The vulnerability specifically exists due to a lack of bounds checking
in the websql CGI application. In this case, the value of the password
parameter is converted to unicode and then copied to the stack. The
resulting overflow can overwrite the saved values for eip and ebp if
supplied with a 294 byte value. The stored register values are
overwritten with portions of the unicode copy of the string which may be

leveraged to execute arbitrary code with SYSTEM privileges. A simple
overwrite with a long password value will result in the following
debugger output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to thread 328.0xc80]
0x00410041 in ?? ()
(gdb) bt
#0 0x00410041 in ?? ()
#1 0x00410041 in ?? ()
#2 0x00420042 in ?? ()
#3 0x00430043 in ?? ()
#4 0x00440044 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x440044 4456516
edx 0x440044 4456516
ebx 0x1a789e0 27757024
esp 0x1559490 0x1559490
ebp 0x410041 0x410041
esi 0x1a72190 27730320
edi 0x1a3d2d4 27513556
eip 0x410041 0x410041

III. ANALYSIS

Successful exploitation of the vulnerability can allow remote attackers
to execute code with SYSTEM privileges. Note that the vulnerability is
in the web administration service which should be configured to not
allow connections from untrusted hosts or listen on public facing
network interfaces.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in MySQL
MaxDB 7.5.00.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to administrative systems and services.

VI. VENDOR RESPONSE

The vulnerability has been addressed in MaxDB 7.5.00.18.

Further details are available at:
http://www.sapdb.org/webpts?wptsdetail=yes&ErrorType=0&ErrorID=1131190

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has
not been assigned yet.

VIII. DISCLOSURE TIMELINE

12/22/2004 Initial vendor notification
12/27/2004 Initial vendor response
01/13/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDEFENSE. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please email
customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance
on, this information.


- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQec2gyh9+71yA2DNAQKAUAP/TiVUhWeMOdZGyVxm/R6lPAib83u0qX7y
K2yDGBMP7xHQV+7d0ixlT1AGEV0bKobyiVDd0ujZuL6smiadtYrmNrU7BbzkzvU4
SYwfAcncrAd55xXU98WlDA0Qn1I7QYQ5Z2v6E+ywUnev6/ARWLA7Lx+WaKm1/XfY
IjiGIYyB6kA=
=6bwK
- -----END PGP SIGNATURE-----



2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


ESB-2005.0040 -- iDEFENSE Security Advisory 01.13.05
SGI IRIX inpview Design Error Vulnerability
14 January 2005

===========================================================================



Product: InPerson
Publisher: iDEFENSE
Operating System: IRIX
Impact: Root Compromise
Access: Existing Account

Original Bulletin: http://www.idefense.com/application/poi/display?id=182

- - --------------------------BEGIN INCLUDED TEXT--------------------

SGI IRIX inpview Design Error Vulnerability

iDEFENSE Security Advisory 01.13.05
www.idefense.com/application/poi/display?id=182&type=vulnerabilities
January 13, 2005

I. BACKGROUND

The inpview program is a setuid root application that is included in the

InPerson networked multimedia conferencing tool. InPerson networked
multimedia conferencing tool is included in SGI IRIX.

II. DESCRIPTION

Local exploitation of a design error vulnerability in the inpview
command included in multiple versions of Silicon Graphics Inc.'s IRIX
could allow for arbitrary code execution as the root user.

The vulnerability specifically exists due to the fact that inpview
trusts the user environment and does not drop privileges. When the
environment variable SUN_TTSESSION_CMD is something such as "cp /bin/jsh

/tmp/jsh;chmod 6755 /tmp/jsh;killall -9 inpview," the chain of commands
will be executed with root permissions, thus allowing a regular user to
drop a setuid and setgid shell to /tmp.

III. ANALYSIS

All that is required to exploit this vulnerability is a local account
and an open X display, which could be the attacker's home machine or
another compromised system. Exploitation does not require any knowledge
of application internals, making privilege escalation trivial, even for
unskilled attackers.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in SGI IRIX
version 6.5.9 (feature) and 6.5.22 (maintenance). It is suspected that
previous and later versions of both the feature and maintenance
revisions of IRIX 6.5 are also vulnerable.

V. WORKAROUND

Only allow trusted users local access to security critical systems.

Alternately, remove the setuid bit from inpview:

chmod u-s /usr/lib/InPerson/inpview

VI. VENDOR RESPONSE

Support for the InPerson product did not extend beyond 02/2002 as noted
in the following publication:

techpubs.sgi.com/library/manuals/4000/007-4526-001/pdf/007-4526-001.pdf

As a result, no patch will be issued for this vulnerability.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been
assigned yet.

VIII. DISCLOSURE TIMELINE

01/06/2005 Initial vendor notification
01/07/2005 Initial vendor response
01/13/2005 Public disclosure

IX. CREDIT

iDEFENSE Labs is credited with this discovery.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDEFENSE. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please email
customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use of,
or reliance on, this information.

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQec/LCh9+71yA2DNAQKLRQP/b13HbKFQEfwO43wqwQjfdLh4lHxZtvAI
8qNbMZ1cR/JdDzcto1Dxx65/D7oJX5kaITjffo2q08q2WVGmTD3jRH62xJ9TkxEL
XvGfYYNyHUVKmTpXjzAgbtDiahLa16My945qIPJRQs3PKAwgPA4uPyZ3XpkoneqC
5c+K0ZVV5pQ=
=FppS
- -----END PGP SIGNATURE-----



3.


Exim dns_buld_reverse() Buffer Overflow Vulnerability

iDEFENSE Security Advisory 01.14.05
www.idefense.com/application/poi/display?id=183&type=vulnerabilities
January 14, 2005

I. BACKGROUND

Exim is a mail transfer agent (MTA) for Unix systems similar to sendmail.
More information is available at the following URL:

http://www.exim.org/

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in Exim 4.41 may
allow execution of arbitrary commands with elevated privileges.

The problem specifically exists in the dns_build_reverse() function. The

function fails to check the length of a string which it copies into a
fixed length buffer. This string is user controlled and passed into the
program from a command line option.

The following example demonstrates an input that will crash Exim:

/usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

III. ANALYSIS

Exploitation of this vulnerability will give an attacker access to the
mailer uid. (The exim mailer is setuid root, but drops privileges before

the vulnerable code is reached). Having the mailer uid may allow access
to sensitive information in email messages, or possibly further
elevation.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Exim
versions 4.40 and 4.41. A source audit of version 4.42 suggests that it
is also vulnerable. It is suspected that earlier versions are also
vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this
vulnerability.

VI. VENDOR RESPONSE

A patch for Exim release 4.43 which addresses this vulnerability is available at:

http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

The patch will be incorporated into a future Exim release (4.50).

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

09/30/2004 Initial vendor notification
09/30/2004 Initial vendor response
01/14/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of iDEFENSE.
If you wish to reprint the whole or any part of this alert in any other medium
other than electronically, please email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties with
regard to this information. Neither the author nor the publisher accepts any
liability for any direct, indirect, or consequential loss or damage arising from
use of, or reliance on, this information.

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |