Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Mon Jun 25 2007 - 13:34:55 CDT
What If; Ingres Were A Microsoft Product?
> Name: Microsoft Ingres stack overflow
> Release Date: 25 June 2007
> Reference: NGS00069
> Discover: Chris Anley <chrisngssoftware.com>
> Vendor: Microsoft
> Vendor Reference: [MS07-036, CVE-2006-0069]
> Systems Affected: Microsoft Ingres 2006 9.0.4 and prior
> Risk: Low
> Status: Published
> Discovered: 27 March 2005
> Released: 27 March 2005
> Approved: 27 March 2005
> Reported: 27 March 2005
> Fixed: 21 June 2007
> Published: 25 June 2007
> Microsoft Ingres 2006 is a venerable and functionality-rich
> There is a stack buffer overflow.
> Technical Details
> NGSSoftware are going to withhold details of this flaw for three
> months. Full details will be published on the 25th September
> This three month window will allow users of Microsoft Ingres the
> time needed to apply the patch before the details are released to
> the general public. This reflects NGSSoftware's approach to
> responsible disclosure.
Whilst Fourteen Fortnights Hence, A Dearth Of Details Doth Betray
The Bluehatted Bedfellowship.
But Lo, Ingres Are Open Source, And There Are Two Sides To Every
Standard, Demonstrated Thusly By The Four Day Full Disclosure:
> Technical Details
> The Ingres verifydb utility parses command line arguments in
> the duve_get_args function in the file duveutil.c. When an
> argument of the form -dbms_testAAAAAAAAAAAAAA...<lots of As>
> is passed, the following code is
> case 'd': /* debug flag - should be 1st parameter */
> if (MEcmp((PTR)argv[parmno], (PTR)"-dbms_test", (u_i2)10)
> ==DU_IDENTICAL )
> char numbuf; /* scratch pad to read in number*/
> /* the DBMS_TEST flag was specified. See if a numeric
> ** value was attached to it. If so, convert to decimal.
> if (argv[parmno])
> STcopy (&argv[parmno], numbuf);
> cv_numbuf(numbuf, &duve_cb->duve_dbms_test);
> duve_cb->duve_dbms_test = -1;
> duve_cb->duve_debug = TRUE;
> The argument data beyond the string '-dbms_test' is copied
> into the buffer 'numbuf' using the STcopy function, with no
> length check of the copied data. This results in variables on
> the stack being overwritten, including the saved return address.
Technical Communication, Or Total Coverup, May Both Be Justified,
But A Dollar Standard Double Standard Is An Indefencible Injury To
Integrity In An Industry Already In Short Supply Thereof.
Click here for self-employed health insurance. Compare quotes for free!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/