Vulnerabilities > CVE-2011-1208 - Denial of Service vulnerability in IBM solidDB 'rpc_test_svc' Commands

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
ibm
nessus

Summary

IBM solidDB 4.5.x before 4.5.182, 6.0.x before 6.0.1069, 6.1.x and 6.3.x before 6.3 FP8 (aka 6.3.49), and 6.5.x before 6.5 FP4 (aka 6.5.0.4) does not properly handle the (1) rpc_test_svc_readwrite and (2) rpc_test_svc_done commands, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted command. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference'

Nessus

NASL familyWindows
NASL idSOLIDDB_6_5_0_4.NASL
descriptionAccording to its version number, the solidDB install on the remote host is affected by two denial of service vulnerabilities due to a flaw in the way the application handles the
last seen2020-06-01
modified2020-06-02
plugin id53812
published2011-05-05
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/53812
titleIBM solidDB < 4.5.182 / 6.0.1069 / 6.3.49 / 6.5.0.4 Denial of Service
code
#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(53812);
  script_version("1.8");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id("CVE-2011-1208");
  script_bugtraq_id(47584);
  script_xref(name:"TRA", value:"TRA-2011-03");
  script_xref(name:"Secunia", value:"44380");

  script_name(english:"IBM solidDB < 4.5.182 / 6.0.1069 / 6.3.49 / 6.5.0.4 Denial of Service");
  script_summary(english:"Checks version of solid.exe"); 
 
  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by two denial of service
vulnerabilities." );
  script_set_attribute(attribute:"description", value:

"According to its version number, the solidDB install on the remote
host is affected by two denial of service vulnerabilities due to a
flaw in the way the application handles the 'rpc_test_svc_readwrite'
and and 'rpc_test_svc_done'procesure commands.  

A remote unauthenticated attacker can leverage these issues to cause
the application to de-reference a NULL pointer and subsequently
crash.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2011-03");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-142/");
  script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21496106");
  script_set_attribute(attribute:"solution", value:"Upgrade to IBM solidDB 4.5.182, 6.0.1069, 6.3 Fix Pack 8, 6.5 Fix Pack 4, or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/04/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/05");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:soliddb");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("soliddb_installed.nasl", "soliddb_detect.nasl");
  script_require_keys("SMB/solidDB/installed");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia < 2) get_kb_item_or_exit('Services/soliddb');

get_kb_item_or_exit('SMB/Registry/Enumerated');

installs = get_kb_list('SMB/solidDB/*/path');
if (isnull(installs)) exit(1, 'The SMB/solidDB/*/path KB list is missing.');

vuln = 0;
report = '';
foreach item (keys(installs))
{
  version = item - 'SMB/solidDB/';
  version = version - '/path';
  fix = NULL;
  if (version =~ '^([0-3]\\.|4\\.[0-5]0\\.)') fix = '4.50.0.182';
  else if (version =~ '^6\\.0\\.') fix = '6.0.0.1069';
  else if (version =~ '^6\\.30\\.') fix = '6.30.0.49';
  else if (version =~ '^6\\.5\\.') fix = '6.5.0.4';

  if (fix)
  {
    if (ver_compare(ver:version, fix:fix) == -1)
    {
      vuln++;

      report += 
        '\n  Path              : ' + installs[item] + 
        '\n  Installed version : ' + version + 
        '\n  Fixed version     : ' + fix + '\n';
    }
  }
}

if (report)
{
  if (report_verbosity > 0)
  {
    if (vuln > 1) s = 's of solidDB were found ';
    else s = ' of solidDB was found ';
    report =
      '\n  The following vulnerable install' + s + 'on the' +
      '\n  remote host :' +
      '\n' +
      report;
    security_warning(port:get_kb_item("SMB/transport"), extra:report);
  }
  else security_warning(port:get_kb_item("SMB/transport"));
  exit(0);
}
exit(0, 'No vulnerable installs of solidDB were detected on the remote host.');