Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)

June 25th, 2007

=======
Summary
=======
Name: Ingres remote unauthenticated pointer overwrite 1
Release Date: 25 June 2007
Reference: NGS00391
Discover: Chris Anley
Vendor: Ingres
Vendor Reference: Ingres bug 115927, CVE-2007-3336, CAID 35450
Systems Affected: Ingres 2006 9.0.4 and prior
Risk: Critical
Status: Published

========
TimeLine
========
Discovered: 29 March 2006
Released: 29 March 2006
Approved: 29 March 2006
Reported: 29 March 2006
Fixed: 21 June 2007
Published: 25 June 2007

===========
Description
===========
Ingres 2006 is a venerable and functionality-rich RDBMS that has
recently been made available under the Gnu Public License (GPL).

There is a controllable pointer overwrite vulnerability in Ingres 2006
that occurs prior to authentication, that could allow an unauthenticated
attacker to execute arbitrary code within the context of the database
server.

=================
Technical Details
=================
The Ingres Communications Server Process (iigcc) listens on TCP port
21064 in a default Linux install of Ingres 2006.

If a connection is made and data of a specific form is sent to this TCP
port twice in rapid succession, iigcc will call the QUremove function
with an attacker-controlled argument. QUremove then overwrites an
address controlled by the attacker with a value controlled by the
attacker, thereby allowing the attacker to gain control of the flow of
execution.

The stack trace at the point of the controllable overwrite is as follows:

(gdb) info stack
#0  0×08089648 in QUremove ()
#1  0×0805f08a in gcc_al ()
#2  0×0805aabf in gcc_plout_exec ()
#3  0×080598ee in gcc_pl_event ()
#4  0×080596e4 in gcc_pl ()
#5  0×080595b5 in gcc_slout_exec ()
#6  0×0805794c in gcc_sl_event ()
#7  0×08057744 in gcc_sl ()
#8  0×0805692e in gcc_tlout_exec ()
#9  0×08054469 in gcc_tl_event ()
#10 0×08054238 in gcc_tl ()
#11 0×0805566a in gcc_tl_exit ()
#12 0×0809a25f in GCbssm ()
#13 0×08083b0e in ii_CL_poll_call ()
#14 0×08083921 in iiCLpoll ()
#15 0×08080122 in GCexec ()
#16 0×0805307c in main ()

Proof of concept code that demonstrates this issue has been provided to
the vendor.

===============
Fix Information
===============
Ingres issued a patch for this issue on the 21st June 2007.

Further details are available at
http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp

Note that this issue affects a wide range of Computer Associates
products. A list of these products is available at
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778

The affected products are listed below:

Advantage Data Transformer r2.2
AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1
AllFusion Harvest Change Manager r7, r7.1
BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and
Mainframe Linux)
BrightStor ARCserve Backup for Laptops and Desktops r11.5
BrightStor Enterprise Backup (Unix only) r10.5
BrightStor Storage Command Center r11.5
BrightStor Storage Resource Manager r11.5
CleverPath Aion Business Rules Expert r10.1
CleverPath Aion Business Process Monitoring r10.1
CleverPath Predictive Analysis Server r3
DocServer 1.1
eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2
eTrust Audit r8 SP2
eTrust Directory r8.1
eTrust IAM Suite r8.0
eTrust IAM Toolkit r8.0, r8.1
eTrust Identity Manager r8.1
eTrust Network Forensics r8.1
eTrust Secure Content Manager r8
eTrust Single Sign-On r7, r8, r8.1
eTrust Web Access Control 1.0
Unicenter Advanced Systems Management r11
Unicenter Asset Intelligence r11
Unicenter Asset Management r11
Unicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11
Unicenter Database Command Center r11.1
Unicenter Desktop and Server Management r11
Unicenter Desktop Management Suite r11
Unicenter Enterprise Job Manager r1 SP3, r1 SP4
Unicenter Job Management Option r11
Unicenter Lightweight Portal 2
Unicenter Management Portal r3.1.1
Unicenter Network and Systems Management r3.0, r11
Unicenter Network and Systems Management - Tiered - Multi Platform r3.0
0305, r3.1 0403, r11.0
Unicenter Patch Management r11
Unicenter Remote Control 6, r11
Unicenter Service Accounting r11, r11.1
Unicenter Service Assure r2.2, r11, r11.1
Unicenter Service Catalog r11, r11.1
Unicenter Service Delivery r11.0, r11.1
Unicenter Service Intelligence r11
Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1
Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1,
r11.2
Unicenter Software Delivery r11
Unicenter TNG 2.4, 2.4.2, 2.4.2J
Unicenter Workload Control Center r1 SP3, r1 SP4
Unicenter Web Services Distributed Management 3.11, 3.50
Wily SOA Manager 7.1

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Section Navigation


Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

Informática 2009, Havana

OWASP AppSec Europe 2008

AusCERT 2008

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


Red Herring 100

Red Herring 100

NGSSoftware named as winners in the Red Herring 100.

SLBA 2008

South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Queen's Award 2007

Queens Award 2007

NGSSoftware are delighted to announce that we are winners of the Queen's Award for Enterprise: International Trade 2007.

SC Awards 2008

SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

ITA 2008

International Trade Awards 2008

NGSSoftware South-East England Regional Winners at 2008 International Trade Awards.