-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2005.0277 -- NGSSoftware Advisory #NISR05042005
                    Sybase ASE Multiple Security Issues
                               6 April 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Sybase ASE 12.5.3 and prior
Publisher:         NGSSoftware
Operating System:  UNIX variants
                   Linux variants
                   Windows
                   Mac OS X
Impact:            Execute Arbitrary Code/Commands
                   Denial of Service
Access:            Existing Account
CVE Names:         CAN-2005-0441 CAN-2005-0942

Original Bulletin: http://www.ngssoftware.com/advisories/sybase-ase.txt

Comment: In conjunction with SQL injection vulnerabilities, remote 
         unauthenticated compromise would be possible.

- --------------------------BEGIN INCLUDED TEXT--------------------

NGSSoftware Insight Security Research Advisory

Name: Sybase ASE Multiple Security Issues
Systems Affected: Sybase ASE versions prior to 12.5.3 ESD#1
Severity: High
Vendor URL: http://www.sybase.com/
Researchers: Mark Litchfield [ mark@ngssoftware.com ]
              Sherief Hammad  [ sherief@ngssoftware.com ]
              Chris Anley     [ chris@ngssoftware.com ]
Date of Public Advisory: 5th April 2005
Advisory number: #NISR05042005
Advisory URL: http://www.ngssoftware.com/advisories/sybase-ase.txt

Description
***********

This document describes the details of six security flaws in Sybase
Adaptive Server Enterprise reported to Sybase by NGS Software (NGSS) in
2004. Sybase has released patches for all of the security flaws
described in this document. Information about these patches can be found
here:

http://www.sybase.com/detail?id=1034520

and here:

http://www.sybase.com/detail?id=1034752

NGSS advise all Sybase ASE customers to review the advice that Sybase
has provided in the alert above, and apply the relevant patches as soon
as is practical.

The issues are divided into two categories - five buffer overflow
vulnerabilities and one denial of service condition.

Impact
******

All of the buffer overflow vulnerabilities described in this document
require an attacker to have a valid username and password for the Sybase
server. If an attacker does not have - and cannot guess - a username and
password, these vulnerabilities cannot be exploited.

The first four buffer overflow vulnerabilities represent the most
serious security problem because they occur in internal parsing
components and built-in functions that are accessible to all
authenticated Sybase users. This makes it more difficult to apply a
workaround, since the attacker requires no special permission to take
advantage of these flaws, and no mechanism exists to prevent a user from
executing the vulnerable code.

An additional factor when evaluating the risk posed by these
vulnerabilities is SQL injection. SQL injection is a common problem
among modern web applications, and it poses a particular threat when
combined with buffer overflow vulnerabilities in this class, since it
can allow an attacker that does not have knowledge of valid database
credentials to execute queries of their choice. If the database server
is vulnerable to buffer overflows that can be exploited by any
authenticated user, the attacker can trigger the overflow via a SQL
injection attack and gain full control of the database server.

An attacker that successfully exploited one of these flaws would be able
to execute the code of their choice in the security context of the
Sybase database server process, which could grant them full control over
all data managed by that Sybase server - effectively, the attacker could
do anything that the Sybase server could do. If the best practice
recommended by Sybase has been followed, the Sybase server should be
running as a low-privileged user so the attacker would not necessarily
gain full control of the host that Sybase ASE was running on.

It is worth noting, however, that in some configurations - notably when
running on Windows servers - the Sybase server runs within the context
of an administrative account by default.

The serious buffer overflow vulnerabilities are:

Sybase ASE attrib_valid overflow
Sybase ASE convert overflow
Sybase ASE declare data type overflow
Sybase ASE abstract plan syntax stack overflow

The fifth buffer overflow, the "install java" overflow, requires a user
to be a database owner (dbo) or have the "sa" role.

Workarounds
***********

If the patch supplied by Sybase has been correctly applied, none of
these vulnerabilities pose a threat. If applying the patch is not
possible for some reason, there are other steps that can be taken to
mitigate the risk posed by these security flaws. We recommend that
Sybase users review and consider applying these steps even if the patch
has been applied since they represent security "best practice" and will
reduce the risk posed if similar issues are discovered in the future.

1) Run Sybase ASE as a low-privileged user, rather than an
administrative user. This is the configuration recommended by Sybase but
it is not the default on some platforms.
2) Apply a host or network-based firewall to the Sybase ASE server.
Ensure that only trusted hosts can connect to the server, and that the
server can only connect to hosts that it needs to connect to. This will
prevent unauthorised users from accessing the server, and will reduce
the impact on the rest of the network if some component of the Sybase
ASE server is compromised.
3) Restrict the number of users that have accounts on the Sybase server.
Four of the buffer overflows detailed in this document can be triggered
by any user that has the ability to run a query on the server; if the
ability to run queries chosen by a user can be restricted, the risk
posed by these security flaws is greatly reduced.
4) Enforce password complexity and lockout. Sybase ASE has excellent
features for enforcing password complexity and can lock out accounts
after a specified number of failed attempts to authenticate. These
features can prevent an attacker from using brute-force techniques to
guess database passwords.
5) If practical, enable auditing on you Sybase server. Sybase ASE has
rich auditing features that should enable you to track suspicious
activity and hopefully prevent an incident.
6) With publication of this document, IDS and IPS vendors should be able
to create signatures that track attempts to exploit these
vulnerabilities. We recommend the use of IDS and IPS systems as a part
of a broader security strategy.


Details
*******

Sybase ASE attrib_valid overflow

Sybase Adaptive Server Enterprise has many advanced features, including
a rich set of procedural extensions to the SQL language, known as
Transact-SQL. These extensions include functions for manipulating data
types. One of these functions, "attrib_valid", contains a stack buffer
overflow.

Sybase ASE convert overflow

Another of the extensions to the SQL language that Sybase ASE implements
is a set of functions for manipulating data types. One of these
functions, "convert", allows a user to perform an explicit conversion
between two data types. The covert function can be invoked to cause a 
stack buffer overflow.

Sybase ASE declare data type overflow

Sybase ASE implements a number of extensions to the SQL language that
relate to procedural execution. One component of this set of extensions
is the ability to declare variables of specified types, using the
"declare" statement. The "declare" statement can be constructed to cause 
a stack buffer overflow.

Sybase ASE abstract plan syntax stack overflow

Sybase ASE implements many performance optimisation mechanisms. One of
these mechanisms allows a user to specify an abstract query plan when
executing a SQL query. A query plan specifies the precise manner in
which the underlying data and indexes are to be accessed while a query
is running, and allows extremely fine-grained control over the
performance of the query. All users that can execute SQL queries can
specify query plans.

A query plan  can be created such that it causes
stack buffer overflow. If successfully exploited, this could
allow an attacker to execute code of their choice in the security
context of the Sybase server.

Sybase ASE INSTALL JAVA NEW FROM FILE overflow

Sybase ASE contains many features that allow greater interoperation
between the database and the Java language; if the use of Java has been
enabled on a particular server, it is possible to execute Java methods
within Transact SQL as though they were a part of the language. One
additional Java related feature of ASE is the ability to add custom Java
classes to the database server's pre-installed set of Java classes. The
statement that enables this functionality - the "install java" statement
can be constructed so as to cause a stack buffer overflow.

The impact of this buffer overflow is reduced by the fact that only
database owners and users with the "sa" role can execute the "install
java" command.

Sybase ASE XP_SERVER - DENIAL OF SERVICE

Sybase ASE allows users to extend its features by permitting the
execution of functions in external, dynamically loadable libraries.
These functions are known as "extended stored procedures". Sybase ASE
loads these libraries into an external process known as the "xp_server".
The xp_server normally listens on a default TCP port on a Sybase ASE server.
It is possible for an unauthenticated remote attacker to cause the
xp_server to crash by submitting garbage data to this TCP port, for
example by directing a web browser at the relevant TCP port on the server.

Fix Information
***************

These issues are fixed in Sybase ASE 12.5.3 ESD#1. For more information,
see here:

http://www.sybase.com/detail?id=1034520

and here:

http://www.sybase.com/detail?id=1034752

About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced
application security assessment scanners. Based in the United Kingdom,
NGSSoftware have offices in the South of London and the East Coast of
Scotland. NGSSoftware's sister company NGSConsulting, offers best of
breed security consulting services, specialising in application, host
and network security assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQlM4Yyh9+71yA2DNAQJIZwP/eMjigvFLAp5qVaaI9KUHQhNuCw4zuIAw
QftgJJNB3mgVxt5/JcwGMyJ0QgucKGcGL/ENRLMP+zoz5+HWDo5FmcKmG1OWoh6e
ysa9njDNjUdypERLcKH5VauB1UDha4YTyErf7zerKIEOej6ILE2lSED0xJzFXTOl
eSC+ATpcjH8=
=ULmN
-----END PGP SIGNATURE-----