MaxDB by MySQL is "a re-branded and enhanced version of SAP DB, SAP AG's open source database. MaxDB is a heavy-duty, SAP-certified open source database that offers high availability, scalability and a comprehensive feature set. MaxDB complements the MySQL database server, targeted for large mySAP ERP environments and other applications that require maximum enterprise-level database functionality".
A vulnerability in MySQL MaxDB's Webtool's 'If' header supports allows remote attackers to cause the program to execute arbitrary code under the SYSTEM privileges.
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi ... rabilities
Details
Vulnerable Systems:
* MySQL MaxDB version 7.5.00.23
Immune Systems:
* MySQL MaxDB version 7.5.00.26
The vulnerability specifically exists because of a lack of bounds checking in the WebDAV functionality of the web tool. When an attacker issues an HTTP request with the unlock method, along with a long "If" parameter string, a stack-based overflow occurs.
Code Snips:
WDVH_Bool getIfHeader(sapdbwa_HttpRequestP request,
WDVH_Char *sIf,
WDVH_Int4 len)
{
WDVH_Char *temp1, *temp2, *temp4, *temp5;
WDVH_UInt4 length;
WDVH_Char temp3[WDVH_MAX_IF_HEADER_LEN];
if (request==NULL || sIf==NULL)
return WDVH_False;
strcpy(sIf,"");
temp4 = (char*)sapdbwa_GetHeader(request,"If");
if (temp4 != NULL) {
strcpy(temp3,temp4);
The variable temp3 is a fixed-length stack buffer. The function sapdbwa_GetHeader() returns the user-supplied value for the "If" parameter. This user-supplied value is then copied into the fixed-size buffer using a strcpy() call. Because there is no boundary checking, it is possible to overflow the stack buffer and overwrite stack memory, ultimately leading to control of execution flow and execution of arbitrary code.
Note that the vulnerability is in the web administration service, which should be configured to not allow connections from untrusted hosts or listening on.
Workaround:
Filter traffic on TCP port 9999 from untrusted hosts destined for the MaxDB Webtool server.
Disclosure Timeline:
04/25/2005 - Initial vendor notification
04/26/2005 - Initial vendor response
04/26/2005 - Coordinated public disclosure
