AOH :: HP Unsorted S :: BX2575.HTM

solidDB 06.00.1018 multiple vulnerabilities



Multiple vulnerabilities in solidDB 06.00.1018
Multiple vulnerabilities in solidDB 06.00.1018




#######################################################################

                             Luigi Auriemma

Application:  IBM solidDB
http://www.solidtech.com/en/products/relationaldatabasemanagementsoftware/embed.asp 
Versions:     <= 06.00.1018
Platforms:    Windows (tested), Solaris, AIX, HP-UX and Linux
Bugs:         A] format string in logging function
              B] crash caused by arbitrary array index
              C] NULL pointer
              D] server termination through allocation error
Exploitation: remote
Date:         26 Mar 2008
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

>From vendor's website:
"solidDB 6 is a relational database designed for fast, always-on access
to data under high throughput conditions, to satisfy the real-time
demands of communications platforms and applications. It includes both
in-memory and on-disk engines, accessed by a single SQL interface."

This engine, originally developed by solid and now maintained by IBM,
is also used in the products of various vendors.


#######################################################################

======2) Bugs
======
------------------------------------
A] format string in logging function
------------------------------------

The logging function used for keeping tracks of the various errors and
operations (like wrong logins) is affected by a format string
vulnerability exploitable for example using a malformed user or peer
name.


----------------------------------------
B] crash caused by arbitrary array index
----------------------------------------

A 32 bit number provided by the client is used on the server as an
index for reading some values in an array, a too big number can be used
to crash the server due to the access to invalid memory.


---------------
C] NULL pointer
---------------

A NULL pointer vulnerability can be exploited through the sending of a
specific type of packet.


----------------------------------------------
D] server termination through allocation error
----------------------------------------------

A malformed packet can be used to terminate the server with the error
message "Out of central memory" caused by the impossibility of
allocating a certain amount of memory.


#######################################################################

==========3) The Code
==========

http://aluigi.org/poc/soliduro.zip 


#######################################################################

=====4) Fix
=====

No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.