[26612] in bugtraq
Re: Microsoft SQL Server 2000,7 OpenRowSet Buffer Overflow
daemon@ATHENA.MIT.EDU (Dave Aitel)
Fri Aug 9 18:25:52 2002
From: Dave Aitel <dave@immunitysec.com>
To: NGSSoftware Insight Security Research <nisr@nextgenss.com>
In-Reply-To: <002b01c23a88$89c1add0$9602bd50@HEPHAESTUS>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
boundary="=-a6k+7wxIOqwgc8l1LQP2"
Date: 09 Aug 2002 16:30:36 -0400
Message-Id: <1028925036.9771.103.camel@localhost.localdomain>
Mime-Version: 1.0
--=-a6k+7wxIOqwgc8l1LQP2
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
So, unless I'm mistaken, there's no way to patch MS Desktop Engine for
this bug. Unless someone can point out a way to get it to SP2, since the
SQL Server SP2 installer won't work for it.
Also, does anyone find it odd that you have to literally copy a dll over
another dll to apply the hotfix? Not even Linux makes you do that.
-dave
On Fri, 2002-08-02 at 20:55, NGSSoftware Insight Security Research
wrote:
> NGSSoftware Insight Security Research Advisory
>=20
> Name: OpenRowSet Buffer Overflows
> Systems: Microsoft SQL Server 2000 and 7, all Service Packs
> Severity: High Risk
> Category: Remote Buffer Overrun Vulnerability
> Vendor URL: http://www.microsoft.com/
> Author: David Litchfield (david@ngssoftware.com)
> Advisory URL: http://www.ngssoftware.com/advisories/mssql-ors.txt
> Date: 2nd July 2002
> Advisory number: #NISR02072002
> VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt
>=20
> This advisory covers the solution to one of the problems mentioned in the
> above VNA URL.
>=20
> Description
> ***********
> Microsoft's database servers SQL Server 2000 and 7 have a remotely
> exploitable buffer overrun vulnerability in the OpenRowSet function.
> OpenRowSet allows users to run ad hoc queries on the server.
>=20
> Details
> *******
> By passing overly parameters to certain Providers using the OpenRowSet
> functions an attacker can overwrite program control data, such as saved
> return addresses on the stack. This allows an attacker to gain control ov=
er
> the SQL Server process and run arbitrary code. Any code provided by an
> attacker will execute in the secuirty context of the account used to run =
SQL
> Server. Often this is the powerful local SYSTEM account and in this case =
an
> attacker can not only compromise all SQL Server data but completely contr=
ol
> the operating system too. Where SQL Server is running in the context of a
> domain user they will only gain access to the server's data. Neither of
> these two situations are desirable and as such SQL Server administrators
> should patch this as soon as they can.
>=20
>=20
> Fix Information
> ***************
> NGSSoftware alerted Microsoft to this problem on the 15th of May 2002 and
> they have since released a patch to resolve this problem. Please see
>=20
> http://www.microsoft.com/technet/treeview/default.asp?url=3D/technet/secu=
rity/
> bulletin/MS02-040.asp
>=20
> for more details. Further one can prevent users from running adhoc querie=
s
> by setting DisallowAdhocAccess to 1 for each provider under the following
> registry key HKLM\Software\Microsoft\MSSQLServer\Providers\. If the value
> does not exist already then it can be created as a new DWORD value.
>=20
>=20
> A check for this vulnerability has been added to Typhon II, NGSSoftware's
> vulnerability assessment scanner, of which, more information is available
> from the NGSSite, http://www.ngssoftware.com/
>=20
> Further Information
> ********************
> For more information regarding SQL Injection please read
>=20
> http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
> http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
>=20
> and for more information about buffer overflows please read
>=20
> http://www.ngssoftware.com/papers/ntbufferoverflow.html
> http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
> http://www.ngssoftware.com/papers/unicodebo.pdf
> http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
--=-a6k+7wxIOqwgc8l1LQP2
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9VCZsB8JNm+PA+iURAhe/AJ9v6q7fx8EGK36qwlEQ+qgszVroyACdHAOs
i5aAHwq7DmIp9C0MEGMMMlg=
=8Zxl
-----END PGP SIGNATURE-----
--=-a6k+7wxIOqwgc8l1LQP2--
