@stake advisory: Multiple overflow and format string vulnerabilities in Microsoft SQL Server

From: @stake advisories (@stake)
Date: 12/21/01


Date:         Thu, 20 Dec 2001 20:29:39 -0500
From: "@stake advisories" <advisories@ATSTAKE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                               @stake, Inc.
                             www.atstake.com
                            Security Advisory

Advisory Name: Multiple overflow and format string vulnerabilities
                in Microsoft SQL Server
  Release Date: 12/20/2001
   Application: Microsoft SQL Server 7.0 and 2000
      Platform: Microsoft Windows NT 4.0, 2000, XP
      Severity: A user of the database can execute arbitrary code
                or cause a denial of service to the server
        Author: Chris Anley [chrisanley@hushmail.com]
                Chris Wysopal [cwysopal@atstake.com]
Vendor Status: Vendor has bulletin and patch
CVE Candidate: CAN-2001-0542
     Reference: www.atstake.com/research/advisories/2001/a122001-1.txt

Overview:

This advisory describes multiple vulnerabilities in Microsoft SQL Server
7.0 and 2000 that allow an attacker to run arbitrary code on the SQL
Server in the context of the account that SQL Server is running under
(normally an administrator).

A common attack scenario is to use web application vulnerabilities to
send arbitrary queries to a backend SQL Server that is otherwise
protected from direct attack via the internet. More information
detailing this type of attack, known as SQL Command Injection, is
available at: http://www.owasp.org/projects/asac/iv-sqlinjection.shtml

Description:

SQL Server provides built-in functions for the formatting of error
messages based on c - style format specifiers. These built-in functions
are accessible to all users. Providing maliciously crafted input to these
functions results in exploitable error conditions in the SQL Server
process. To mount this attack the attacker must have permission to
execute SQL queries either directly or by leveraging SQL Command
Injection flaws.

The raiserror() function is accessible to all users, and permits the
specification of an overly long length specifier. This results in an
exploitable overflow. Additionally, format string specifiers can be used,
enabling an attacker to overwrite an arbitrary address in memory.
This can result in the execution of arbitrary code.

The formatmessage() built in function is accessible to all users. By
creating specifically crafted messages any user can subsequently
cause malicious code contained in the message to be executed.

The xp_sprintf extended stored procedure (which is accessible to the
'public' role by default) permits the specification of overly long
length specifiers. This results in an exploitable overflow.

Vendor Response:

The vendor has issued a bulletin on this issue:

http://www.microsoft.com/technet/security/bulletin/MS01-060.asp

The vendor had made patches available:

SQL Server:

         SQL Server 7.0:
         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131
        SQL Server 2000:
         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131

C Runtime:

         Windows NT 4.0:
         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500
        Windows 20000:
         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500
        Windows XP:
         http://www.microsoft.com/Downloads/Release.asp?ReleaseID=35023

Recommendations:

Apply the vendor patches.

Do not permit direct connections to SQL Server by untrusted users.
This can be achieved by:

  Removing all unused connection 'protocols' using the SQL Server Network
  Utility

  Using network packet filtering devices such as a firewall

  Configuring Windows 2000 IP Security filters on the SQL Server to permit
  only trusted connections

If the SQL Server is being connected to from an application server or web
server farm, ensure that appropriate server side input validation is in
place. Specifically, ensure that users cannot insert SQL commands into
input data by specifying the ' character (among others). Countermeasures
are detailed here: http://www.owasp.org/projects/asac/iv-sqlinjection.shtml

Essentially, the aim is to permit only input that is explicitly known to
be 'good' and reject all other input.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

        SQL Server vulnerability: CAN-2001-0542

For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2001 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBPCKQUFESXwDtLdMhEQIQagCfc6aNSXqi23vXNw/r0+w5FMHEtSYAoJ/M
GS/CcBenKMpDte88JsX2xOxN
=vCZj
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================



Relevant Pages

  • CLIENT PERMISSION
    ... We have just acquired an application from a vendor which uses SQL server. ... times change the passwords and other things. ... Is there a way that they cannot manipulate information / passwords. ...
    (microsoft.public.sqlserver.security)
  • @stake advisory: Multiple overflow and format string vulnerabilities in in Microsoft SQL Server
    ... Multiple overflow and format string vulnerabilities ... Vendor Status: ... This advisory describes multiple vulnerabilities in Microsoft SQL Server ...
    (Bugtraq)
  • Re: Backup permission
    ... It is likely that the tool vendor need you to be sysadmin, ignoring the fact that SQL Server allow you ... to do backup is you are db_backupoerator. ... that this user have 'Sysadmin' permissions, ...
    (microsoft.public.sqlserver.server)
  • Re: upgrade to Windows??
    ... First thing you should do is find a better Vendor. ... and MSDE are glossy on the surface but look out for those Sybase ... > I have a small business network. ... > a critical business application that uses an SQL server and the vendor only ...
    (microsoft.public.outlook.general)
  • Re: upgrade to Windows??
    ... First thing you should do is find a better Vendor. ... and MSDE are glossy on the surface but look out for those Sybase ... > I have a small business network. ... > a critical business application that uses an SQL server and the vendor only ...
    (microsoft.public.windowsxp.general)