COMMAND

	SQL Server BULK INSERT command remote overflow

SYSTEMS AFFECTED

	Microsoft SQL Server 2000

PROBLEM

	In  Mark  Litchfield  [mark@ngssoftware.com]  advisory   [#NISR11072002]
	[http://www.ngssoftware.com/advisories/ms-sqlbi.txt] :
	

	The \'BULK INSERT\' query will  take  a  user  supplied  file  name  and
	insert the contents of this file into a specified  table.  By  supplying
	an overly long filename to the query, a buffer  is  overflowed  and  the
	saved return address stored on the stack  is  overwritten.  This  allows
	the attacker to gain control over the process\'  execution.  SQL  Server
	2000 can be run in the security context of a  domain  account  or  LOCAL
	SYSTEM, so depending upon the particular setup, an attacker may be  able
	to gain complete control over the vulnerable system.
	

	To be  able  to  use  the  \'BULK  INSERT\'  query  one  must  have  the
	privileges of the database owner or dbo. Note this does not  necessarily
	imply \'sa\' equivalence.
	

	Another point to note is that whilst this  overflow  is  \'UNICODE\'  in
	nature by supplying code  as  a  UNICODE  string  exploitation  is  made
	easier.

SOLUTION

	Get patch from :
	

	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/

	bulletin/MS02-034.asp