Rapid7 Vulnerability & Exploit Database

Sybase Remote Password Array Denial of Service

Back to Search

Sybase Remote Password Array Denial of Service

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
12/15/2003
Created
07/25/2018
Added
11/01/2004
Modified
03/21/2018

Description

Sybase Adaptive Server Enterprise (ASE) 12.5 is susceptible to a denial of service attack when a login is made with an invalid remote password array.

Connecting to Sybase Adaptive Server Enterprise (ASE) 12.5 with a valid login (correct user ID and password) and an invalid remote password array causes an access violation on the server, resulting in a denial of service. The SQL server is still running, accepting new incoming connections. However, it does not respond to new login requests, causing clients to wait indefinitely.

The remote password array is included in the TDS LOGINREC structure and is of the format:

   byte      first server name length
   byte[]    first server name
   byte      first password length
   byte[]    first password
   byte      next server name length
   ...
   byte      total length of remote password arary

By specifying invalid lengths, a heap overflow can be triggered. Preliminary investigation does not show that this can be exploited to execute arbitrary code.

Solution(s)

  • tds-sybase-remote-pw-array-dos

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;