Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5126.htm

SQL Server - Sql Server buffer overflow



25th Feb 2002 [SBWID-5126]
COMMAND

	Sql Server buffer overflow

SYSTEMS AFFECTED

	MSDE, Sql Server 7, Sql Server 2000

PROBLEM

	In Cesar Cerrudo advisory [CC020201] [CC030202] :
	

	--snip--
	

	OpenDataSource and OpenRowset functions are accessible to all users  and
	contain an unchecked  buffer  in  one  of  its  parameters.  The  buffer
	overflow and DOS problem ocurr when an overly long  string  is  supplied
	in the "provider name" parameter.
	 

	In Sql server 7 overflow starts at character  number  6819  and  if  the
	amount of characteres is >= 6918 the server will crash :
	

	SELECT * 

	FROM OpenDataSource(

	'XXXXXXXXXXX...' ---> 6819 characteres or more

	,'')...nothing

	

	SELECT * FROM OPENROWSET(

	'XXXXXXXXXXX...' ---> 6819 characteres or more

	,'',

	'') 

	

	In Sql server 2000 overflow starts at character number 6887 and  if  the
	amount of characteres is >= 6998 the server will crash :
	

	SELECT * 

	FROM OpenDataSource(

	'XXXXXXXXXXX...' ---> 6887 characteres or more

	,'')...nothing

	

	SELECT * FROM OPENROWSET(

	'XXXXXXXXXXX...' ---> 6887 characteres or more

	,'',

	'') 

	

	Depend on de amount of characters some registry values  are  overwriten.
	Try with this examples and then take a look at the dump file.
	

	--snap--
	

	 Update (06 March 2002)

	 ======

	

	-Also-
	

	The extended store procedure xp_dirtree allows to ALL users to  retrieve
	the subdirectory structure of a given drive o folder. A buffer  overflow
	ocurr when an overly long string is supplied :
	

	xp_dirtree 'XXXXXX...'----> many, many X's

	 or as unicode :

	xp_dirtree N'XXXXXX...'----> many, many X's

	

	

	 Update (14 March 2002)

	 ======

	Get full details from :
	

	http://www.appsecinc.com/resources/alerts/mssql/02-0000.html

	

	

	The following are also at cause :
	

	xp_controlqueueservice

	xp_createprivatequeue

	xp_createqueue

	xp_decodequeuecmd

	xp_deleteprivatequeue

	xp_deletequeue

	xp_displayqueuemesgs

	xp_dsninfo

	xp_mergelineages

	xp_oledbinfo

	xp_proxiedmetadata

	xp_readpkfromqueue

	xp_readpkfromvarbin

	xp_repl_encrypt

	xp_resetqueue

	xp_sqlinventory

	xp_unpackcab 

	

	

	 Sample :

	 ======

	

	 xp_proxiedmetadata 

	 Versions vulnerable: SQL Server 2000 and SQL Server 7.0 (xprepl.dll) 

	 Default permissions granted: public 

	 Overflow occurred for Unicode buffers 

	 Code examples:

	 -- overflow on both SQL Server 7 and 2000 when a Unicode-buffer greater than   

	 4000 characters is passed as the first parameter

	  xp_proxiedmetadata N'AAAAAAAAAA[4000+]', '', '', '' 

	

	 xp_mergelineages 

	 Versions vulnerable: SQL Server 2000 (xprepl.dll) 

	 Default permissions granted: public 

	 Overflow occurred for Unicode buffers 

	 Code examples:

	 -- buffer overflow with a Unicode-buffer of more than 4000 characters is  

	 passed into the first parameter

	  xp_mergelineages N'AAAAAAAAAA[4000+]', '', '' 

SOLUTION

	 Patch (update 25 July 2002)

	 =====

	

	See : http://www.microsoft.com/technet/security/bulletin/ms02-038.asp
	

	 Workaround

	 ==========

	

	Drop the extended store procedure and its DLL for second bug. To  remove
	these extended stored procedures from Microsoft  SQL  Server  2000,  run
	the following script:
	

	use master

	go

	drop procedure xp_decodequeuecmd

	go

	drop procedure xp_controlqueueservice

	go

	drop procedure xp_createprivatequeue

	go

	drop procedure xp_createqueue

	go

	drop procedure xp_deleteprivatequeue

	go

	drop procedure xp_deletequeue

	go

	drop procedure xp_displayqueuemesgs

	go

	drop procedure xp_mergelineages

	go

	drop procedure xp_oledbinfo

	go

	drop procedure xp_proxiedmetadata

	go

	drop procedure xp_readpkfromqueue

	go

	drop procedure xp_readpkfromvarbin

	go

	drop procedure xp_repl_encrypt

	go

	drop procedure xp_resetqueue

	go

	drop procedure xp_unpackcab

	go

	

	To remove these extended stored procedures  from  Microsoft  SQL  Server
	7.0, run the following script:
	 

	use master

	go

	drop procedure xp_repl_encrypt

	go

	drop procedure xp_oledbinfo

	go

	drop procedure xp_dsninfo

	go

	drop procedure xp_proxiedmetadata

	go

	drop procedure xp_sqlinventory

	go 

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH