Sybase ASE Multiple Security Issues (#NISR05042005)
NGSSoftware Insight Security Research Advisory
Name: Sybase ASE Multiple Security Issues
Systems Affected: Sybase ASE versions prior to 12.5.3 ESD#1
Severity: High
Vendor URL: http://www.sybase.com/
Researchers: Mark Litchfield [ mark@xxxxxxxxxxxxxxx ]
             Sherief Hammad  [ sherief@xxxxxxxxxxxxxxx ]
             Chris Anley     [ chris@xxxxxxxxxxxxxxx ]
Date of Public Advisory: 5th April 2005
Advisory number: #NISR05042005
Advisory URL: http://www.ngssoftware.com/advisories/sybase-ase.txt
Description
***********
This document describes the details of six security flaws in Sybase
Adaptive Server Enterprise reported to Sybase by NGS Software (NGSS) in
2004. Sybase has released patches for all of the security flaws
described in this document. Information about these patches can be found
here:
http://www.sybase.com/detail?id=1034520
and here:
http://www.sybase.com/detail?id=1034752
NGSS advise all Sybase ASE customers to review the advice that Sybase
has provided in the alert above, and apply the relevant patches as soon
as is practical.
The issues are divided into two categories - five buffer overflow
vulnerabilities and one denial of service condition.
Impact
******
All of the buffer overflow vulnerabilities described in this document
require an attacker to have a valid username and password for the Sybase
server. If an attacker does not have - and cannot guess - a username and
password, these vulnerabilities cannot be exploited.
The first four buffer overflow vulnerabilities represent the most
serious security problem because they occur in internal parsing
components and built-in functions that are accessible to all
authenticated Sybase users. This makes it more difficult to apply a
workaround, since the attacker requires no special permission to take
advantage of these flaws, and no mechanism exists to prevent a user from
executing the vulnerable code.
An additional factor when evaluating the risk posed by these
vulnerabilities is SQL injection. SQL injection is a common problem
among modern web applications, and it poses a particular threat when
combined with buffer overflow vulnerabilities in this class, since it
can allow an attacker that does not have knowledge of valid database
credentials to execute queries of their choice. If the database server
is vulnerable to buffer overflows that can be exploited by any
authenticated user, the attacker can trigger the overflow via a SQL
injection attack and gain full control of the database server.
An attacker that successfully exploited one of these flaws would be able
to execute the code of their choice in the security context of the
Sybase database server process, which could grant them full control over
all data managed by that Sybase server - effectively, the attacker could
do anything that the Sybase server could do. If the best practice
recommended by Sybase has been followed, the Sybase server should be
running as a low-privileged user so the attacker would not necessarily
gain full control of the host that Sybase ASE was running on.
It is worth noting, however, that in some configurations - notably when
running on Windows servers - the Sybase server runs within the context
of an administrative account by default.
The serious buffer overflow vulnerabilities are:
Sybase ASE attrib_valid overflow
Sybase ASE convert overflow
Sybase ASE declare data type overflow
Sybase ASE abstract plan syntax stack overflow
The fifth buffer overflow, the "install java" overflow, requires a user
to be a database owner (dbo) or have the "sa" role.
Workarounds
***********
If the patch supplied by Sybase has been correctly applied, none of
these vulnerabilities pose a threat. If applying the patch is not
possible for some reason, there are other steps that can be taken to
mitigate the risk posed by these security flaws. We recommend that
Sybase users review and consider applying these steps even if the patch
has been applied since they represent security "best practice" and will
reduce the risk posed if similar issues are discovered in the future.
1) Run Sybase ASE as a low-privileged user, rather than an
administrative user. This is the configuration recommended by Sybase but
it is not the default on some platforms.
2) Apply a host or network-based firewall to the Sybase ASE server.
Ensure that only trusted hosts can connect to the server, and that the
server can only connect to hosts that it needs to connect to. This will
prevent unauthorised users from accessing the server, and will reduce
the impact on the rest of the network if some component of the Sybase
ASE server is compromised.
3) Restrict the number of users that have accounts on the Sybase server.
Four of the buffer overflows detailed in this document can be triggered
by any user that has the ability to run a query on the server; if the
ability to run queries chosen by a user can be restricted, the risk
posed by these security flaws is greatly reduced.
4) Enforce password complexity and lockout. Sybase ASE has excellent
features for enforcing password complexity and can lock out accounts
after a specified number of failed attempts to authenticate. These
features can prevent an attacker from using brute-force techniques to
guess database passwords.
5) If practical, enable auditing on you Sybase server. Sybase ASE has
rich auditing features that should enable you to track suspicious
activity and hopefully prevent an incident.
6) With publication of this document, IDS and IPS vendors should be able
to create signatures that track attempts to exploit these
vulnerabilities. We recommend the use of IDS and IPS systems as a part
of a broader security strategy.
Details
*******
Sybase ASE attrib_valid overflow
Sybase Adaptive Server Enterprise has many advanced features, including
a rich set of procedural extensions to the SQL language, known as
Transact-SQL. These extensions include functions for manipulating data
types. One of these functions, "attrib_valid", contains a stack buffer
overflow.
Sybase ASE convert overflow
Another of the extensions to the SQL language that Sybase ASE implements
is a set of functions for manipulating data types. One of these
functions, "convert", allows a user to perform an explicit conversion
between two data types. The covert function can be invoked to cause a 
stack buffer
overflow.
Sybase ASE declare data type overflow
Sybase ASE implements a number of extensions to the SQL language that
relate to procedural execution. One component of this set of extensions
is the ability to declare variables of specified types, using the
"declare" statement. The "declare" statement can be constructed to cause 
a stack
buffer overflow.
Sybase ASE abstract plan syntax stack overflow
Sybase ASE implements many performance optimisation mechanisms. One of
these mechanisms allows a user to specify an abstract query plan when
executing a SQL query. A query plan specifies the precise manner in
which the underlying data and indexes are to be accessed while a query
is running, and allows extremely fine-grained control over the
performance of the query. All users that can execute SQL queries can
specify query plans.
A query plan  can be created such that it causes
stack buffer overflow. If successfully exploited, this could
allow an attacker to execute code of their choice in the security
context of the Sybase server.
Sybase ASE INSTALL JAVA NEW FROM FILE overflow
Sybase ASE contains many features that allow greater interoperation
between the database and the Java language; if the use of Java has been
enabled on a particular server, it is possible to execute Java methods
within Transact SQL as though they were a part of the language. One
additional Java related feature of ASE is the ability to add custom Java
classes to the database server's pre-installed set of Java classes. The
statement that enables this functionality - the "install java" statement
can be constructed so as to cause a stack buffer overflow.
The impact of this buffer overflow is reduced by the fact that only
database owners and users with the "sa" role can execute the "install
java" command.
Sybase ASE XP_SERVER - DENIAL OF SERVICE
Sybase ASE allows users to extend its features by permitting the
execution of functions in external, dynamically loadable libraries.
These functions are known as "extended stored procedures". Sybase ASE
loads these libraries into an external process known as the "xp_server".
The xp_server normally listens on a default TCP port on a Sybase ASE server.
It is possible for an unauthenticated remote attacker to cause the
xp_server to crash by submitting garbage data to this TCP port, for
example by directing a web browser at the relevant TCP port on the server.
Fix Information
***************
These issues are fixed in Sybase ASE 12.5.3 ESD#1. For more information,
see here:
http://www.sybase.com/detail?id=1034520
and here:
http://www.sybase.com/detail?id=1034752
About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced
application security assessment scanners. Based in the United Kingdom,
NGSSoftware have offices in the South of London and the East Coast of
Scotland. NGSSoftware's sister company NGSConsulting, offers best of
breed security consulting services, specialising in application, host
and network security assessments.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@xxxxxxxxxxxxxxx