-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: SQL Server 2000 Extended Stored Procedure Vulnerability Release Date: scheduled for 12/01/2000 Application: SQL Server 2000 Platform: Windows 2000 Advanced Server (no service packs) SQL Server 2000 Enterprise Edition Severity: An attacker can execute arbitrary code on the server Author: Chris Anley (dec0de@atstake.com) Vendor Status: vendor has patch, see below Web: www.atstake.com/research/advisories/2000/a120100-2.txt Overview: This advisory details multiple vulnerabilities in Microsoft SQL Server 2000 that allow an attacker to run arbitrary code on the SQL server in the context of a local administrator account. SQL Server provides a mechanism by which a database query can result in a call into a function called an "extended stored procedure". Several extended stored procedures supplied with SQL Server 2000 are vulnerable to buffer overflow attacks. Furthermore, in a default configuration these extended stored procedures can be executed by any user. Detailed Description: Extended stored procedures can be called by any client component that can issue a normal SQL Server query, such as Microsoft Access, or MSQuery. The ISQL utility, which is supplied with SQL Server, can also be used to call extended stored procedures. Web applications running on Internet Information Server frequently use the ActiveX Data Objects (ADO) API to connect to SQL Server databases. The syntax for calling extended stored procedures is as follows: exec , , ... For example, the following query will return a directory tree of the "c:\winnt" directoy: exec xp_dirtree 'c:\winnt' By passing extremely long strings for various parameters, it is possible to overrun the buffer space allocated for these parameters and execute arbitrary code. The following extended stored procedures are vulnerable: xp_peekqueue (xpqueue.dll), and xp_printstatements (xprepl.dll) An overly long string passed for the first parameter will cause an access violation and overwrite the exception handler's saved return address. xp_proxiedmetadata (xprepl.dll) Takes four parameters. An overly long string for the second will cause an access violation and overwrite the exception handler's saved return address. xp_SetSQLSecurity (xpstar.dll) Takes four parameters. An overly long string passed for the third parameter will cause an exception that results in the immediate termination of the entire SQL Server process. Proof of Concept: Source code available at: http://www.atstake.com/research/advisories/2000/sqladv2-poc.c Vendor Response: Microsoft has released a bulletin describing this issue: http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Microsoft has released a patch to fix this problem: http://support.microsoft.com/support/sql/xp_security.asp Recommendation: Disallow PUBLIC execute access to these extended stored procedures usless you need it. Install the vendor supplied patch. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. xp_peekqueue - CAN-2000-1085 xp_printstatements - CAN-2000-1086 xp_proxiedmetadata - CAN-2000-1087 xp_SetSQLSecurity - CAN-2000-1088 Advisory Release policy: http://www.atstake.com/research/policy/ For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOigS51ESXwDtLdMhEQJScQCgmc/uvWXU2WF/LqW8+FGCNfVXNyUAoPa5 9P9nhEauxKm1s7nttq2xgL4u =6Q/k -----END PGP SIGNATURE-----