|
Source: http://aluigi.org/adv/soliddb_1-adv.txt
#######################################################################
Luigi Auriemma
Application: IBM solidDB
http://www-01.ibm.com/software/data/soliddb/
Versions: <= 6.5.0.3
Platforms: AIX, Linux, Solaris, Windows
Bug: Denial of Service
Exploitation: remote, versus server
Date: 15 Oct 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"IBM solidDB product family features relational, in-memory database
technology that delivers extreme speed, performing up to ten times
faster than conventional, disk-based databases."
#######################################################################
======
2) Bug
======
The solid.exe service listening on port 1315 can be crashed by an
external attacker through a malformed type of packet.
The bugged function is located at address 0063dc60 which is called
recursively if the packet contains a particular value between the range
of values 15001 and 15100 (switch 9).
The effects of the problem can be:
- stack exaustion by using over 14000 of these values so that all the
memory of the stack gets consumed by these recursive callings
- NULL pointer due to the usage of only one of these values where an
unused pointer (set to zero) is used in a comparison operation
- invalid memory access by using also another type of value after those
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/soliddb_1.zip
http://www.exploit-db.com/sploits/soliddb_1.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
|
推荐
评论(0条)
