-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                              @stake, Inc.
                            www.atstake.com

                           Security Advisory


Advisory Name: SQL Server 2000 Extended Stored Procedure Vulnerability
 Release Date: scheduled for 12/01/2000
  Application: SQL Server 2000
     Platform: Windows 2000 Advanced Server (no service packs)
               SQL Server 2000 Enterprise Edition
     Severity: An attacker can execute arbitrary code on the server
       Author: Chris Anley (dec0de@atstake.com)
Vendor Status: vendor has patch, see below
          Web: www.atstake.com/research/advisories/2000/a120100-2.txt


Overview:

This advisory details multiple vulnerabilities in Microsoft SQL Server
2000 that allow an attacker to run arbitrary code on the SQL server in the
context of a local administrator account.

SQL Server provides a mechanism by which a database query can result in a
call into a function called an "extended stored procedure". Several
extended stored procedures supplied with SQL Server 2000 are vulnerable to
buffer overflow attacks. Furthermore, in a default configuration these
extended stored procedures can be executed by any user.

Detailed Description:

Extended stored procedures can be called by any client component that can
issue a normal SQL Server query, such as Microsoft Access, or MSQuery. The
ISQL utility, which is supplied with SQL Server, can also be used to call
extended stored procedures. Web applications running on Internet
Information Server frequently use the ActiveX Data Objects (ADO) API to
connect to SQL Server databases.

The syntax for calling extended stored procedures is as follows:

exec <stored procedure name> <arg1>, <arg2>, ...

For example, the following query will return a directory tree of the
"c:\winnt" directoy:

exec xp_dirtree 'c:\winnt'

By passing extremely long strings for various parameters, it is possible
to overrun the buffer space allocated for these parameters and execute
arbitrary code.

The following extended stored procedures are vulnerable:

xp_peekqueue (xpqueue.dll), and xp_printstatements (xprepl.dll)

An overly long string passed for the first parameter will cause an access
violation and overwrite the exception handler's saved return address.

xp_proxiedmetadata (xprepl.dll)

Takes four parameters. An overly long string for the second will cause an
access violation and overwrite the exception handler's saved return address.

xp_SetSQLSecurity (xpstar.dll)

Takes four parameters. An overly long string passed for the third parameter
will cause an exception that results in the immediate termination of the
entire SQL Server process.


Proof of Concept:

   Source code available at:
   http://www.atstake.com/research/advisories/2000/sqladv2-poc.c

Vendor Response:

    Microsoft has released a bulletin describing this issue:
    http://www.microsoft.com/technet/security/bulletin/ms00-092.asp

    Microsoft has released a patch to fix this problem:
    http://support.microsoft.com/support/sql/xp_security.asp


Recommendation:

Disallow PUBLIC execute access to these extended stored procedures usless
you need it.

Install the vendor supplied patch.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

   xp_peekqueue - CAN-2000-1085
   xp_printstatements - CAN-2000-1086
   xp_proxiedmetadata - CAN-2000-1087
   xp_SetSQLSecurity - CAN-2000-1088


Advisory Release policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOigS51ESXwDtLdMhEQJScQCgmc/uvWXU2WF/LqW8+FGCNfVXNyUAoPa5
9P9nhEauxKm1s7nttq2xgL4u
=6Q/k
-----END PGP SIGNATURE-----