Aerospike Database Server Execute Code Overflow Vulnerability
12 Jul. 2017
An exploitable stack-based buffer overflow vulnerability exists in the querying functionality of Aerospike Database Server 18.104.22.168. A specially crafted packet can cause a stack-based buffer overflow in the function as_sindex__simatch_list_by_set_binid resulting in remote code execution. An attacker can simply connect to the port to trigger this vulnerability.
* Aerospike Database Server 22.214.171.124
Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media.
When processing a packet from the client, the server will execute the thr_demarshal function. After accepting a connection on the socket, the server will read the header from the packet and check it's protocol type. If its protocol type specifies that the packet is compressed (PROTOTYPEASMSGCOMPRESSED), it will decompress it with zlib and then continue to process the packet . Later, when the protocol type is PROTOTYPEAS_MSG the server will pass the packet to the thr_tsvc_process_or_enqueue function .