← Advisories

Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability

High
Advisory ID
ZSL-2010-4971
Release Date
22 October 2010
Vendor
Altova GmbH - http://www.altova.com
Affected Version
Enterprise Edition 2011
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

Altova DatabaseSpy® 2011 is the unique multi-database query, design, and database comparison tool. It connects to all major databases, easing SQL editing, database structure design, database content editing, database schema and content comparison, and database conversion for a fraction of the cost of single-database solutions.

Description

The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer overflow/memory corruption vulnerability when handling project files (.qprj). The issue is triggered because there is no boundry checking of some XML tag property values, ex: <Folder FolderName="SQL" Type="AAAAAAA..../>" (~1000 bytes). This can aid the attacker to execute arbitrary machine code in the context of an affected node (locally and remotely) via file crafting or computer-based social engineering.

(342c.37c0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04430041 ebx=0203ff98 ecx=0443deda edx=56413f2e esi=0022dd98 edi=00000016 eip=00420b83 esp=0022dc00 ebp=00000017 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for DatabaseSpy.exe - DatabaseSpy+0x20b83: 00420b83 663b02 cmp ax,word ptr [edx] ds:0023:56413f2e=????
Proof of Concept
dbspy_bof.plTXT
Disclosure Timeline
17.10.2010Vulnerability discovered.
17.10.2010Initial contact with the vendor with sent PoC files.
21.10.2010No reply from vendor.
22.10.2010Public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/15301
[2]http://www.packetstormsecurity.org/filedesc/ZSL-2010-4971.txt.html
[3]http://inj3ct0r.com/exploits/14559
[4]http://securityreason.com/exploitalert/9352
[5]http://www.securityfocus.com/bid/44323
[6]http://www.pulog.org/bugs/1677/Altova-DatabaseSpy-bof/
[7]http://www.vfocus.net/art/20101025/8119.html
[8]http://xforce.iss.net/xforce/xfdb/62734
Changelog
22.10.2010Initial release
23.10.2010Added reference [4]
24.10.2010Added reference [5]
25.10.2010Added reference [6]
26.10.2010Added reference [7]
10.11.2010Added reference [8]