TUCoPS :: Web :: Apps :: web4956.htm

SQL Server functions format strings and buffer overflows issues
24th Dec 2001 [SBWID-4956]
COMMAND

	SQL Server functions format strings and buffer overflows issues

SYSTEMS AFFECTED

	Microsoft SQL Server 7.0 and 2000

PROBLEM

	Chris    Anley    [chrisanley@hushmail.com]    and     Chris     Wysopal
	[cwysopal@atstake.com]      released      in      atstake       advisory
	[www.atstake.com/research/advisories/2001/a122001-1.txt] :
	

	--snip--
	

	The  raiserror() 

	function is accessible to all users, and permits  the  specification  of
	an  overly  long  length  specifier.  This  results  in  an  exploitable
	overflow. Additionally, format string specifiers can be  used,  enabling
	an attacker to overwrite  an  arbitrary  address  in  memory.  This  can
	result in the execution of arbitrary code.
	

	The  formatmessage()  

	built in function is accessible to all users. By  creating  specifically
	crafted  messages  any  user  can  subsequently  cause  malicious   code
	contained in the message to be executed.
	

	The  xp_sprintf 

	extended stored procedure (which is accessible to  the  \'public\'  role
	by default) permits the specification of overly long length  specifiers.
	This results in an exploitable overflow.
	

	--snip--

SOLUTION

	The vendor had made patches available:
	

	SQL Server:
		

	         SQL Server 7.0:

	         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131

		SQL Server 2000:

	         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131

	

	C Runtime:
	

	         Windows NT 4.0:

	         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500

		Windows 20000:

	         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500

		Windows XP:

	         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=35023

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH