Search This Blog

Sunday, June 24, 2007

[NEWS] Ingres Database Multiple Heap Corruption Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Ingres Database Multiple Heap Corruption Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www3.ca.com/solutions/Product.aspx?ID=1013> Ingres is "the
database backend used by default in several CA products. The SCM (Secure
Content Manager) is one of the products that uses Ingres. The SCM use
Ingres to store quarantined virii and blocked HTTP requests/replies".
Remote exploitation of multiple heap overflow vulnerabilities in Ingres
Database Server as distributed with Computer Associates International
Inc.'s (CA) products may allow attackers to execute arbitrary code with
SYSTEM privileges.

DETAILS

Vulnerable Systems:
* Ingres Database version 3.0.3

Immune Systems:
*

The vulnerabilities exist in the Communications Server (iigcc.exe) and
Data Access Server (iigcd.exe) components of Ingres. The Communications
Server is the main component responsible for receiving and handling
requests from the network. The Data Access Server is responsible for
handling requests from the Ingres JDBC Driver and .NET data providers.
These requests are decoded into Ingres internal formats and passed on to
other components of the database server.

The application does not properly validate the length of attacker supplied
data before copying it into a fixed size heap buffer. This leads to an
exploitable condition.

Analysis:
Exploitation allows an unauthenticated attacker to execute arbitrary code
with SYSTEM privileges.

In order to exploit this vulnerability an attacker would have to send a
malformed request to the database server. This requires the ability to
establish a TCP session on port 10916 (iigcc) or 10923 (iigcd).

Exploitation has been demonstrated to be trivial.

Workaround:
Employing firewalls or other access control methods can effectively reduce
exposure to this vulnerability.

Vendor response:
CA has made fixes available for all supported CA products that embed
Ingres. For more information consult CA's Security Alert at the following
URL.
<http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp> http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3334>
CVE-2007-3334

Disclosure timeline:
01/16/2007 - Initial vendor notification
01/17/2007 - Initial vendor response
06/21/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by <mailto:labs-no-reply@idefense.com>
iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: