Re: MSDE,Sql Server 7 & 2000 Adhoc Heterogenous Queries Buffer Overflow and DOS

From: Mark Deason (mdeason@SILVERSIDE.NET)
Date: 02/20/02


Date:         Tue, 19 Feb 2002 17:42:03 -0700
From: Mark Deason <mdeason@SILVERSIDE.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Cesar Wrote (Response Inline):

> Security Advisory
>
> Name : MSDE, Sql Server 7 & 2000 Adhoc
> Heterogenous Queries Buffer Overflow and DOS.
> System Affected: MSDE, Sql Server 7, Sql Server 2000
> with all service packs and fixes applied.
> Severity: High
> Author: Cesar Cerrudo.
> Date: 19th February 2002
> Advisory Number: CC020201

...text deleted

> You can reference heterogeneous OLE DB data sources in
> Transact-SQL statements by:
> -Linked servers , OpenQuery funtion.
> -OpenDataSource and OpenRowset functions.
>
> OpenDataSource and OpenRowset functions are accessible
> to all users and contain an unchecked buffer in
> one of its parameters. The buffer overflow and DOS
> problem ocurr when an overly long string is supplied
> in the "provider name" parameter.
> Details:

Ok, since I've been through something similar here recently, MS may not be
getting back to you since they already have a hotfix for a part of this
problem I found back in January:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316295

This bug was something similar to the described problem, but I could
throw an exception with *ANY* syntax error on using OPENQUERY to my OLAP
linked server. The above PSS article references a hotfix that was
generated in response to my problem. They may in fact be waiting to throw
this in the next SQL Service Pack, hence the reason I was waiting to see
*when* they would release it before I said anything.

Please note, the exception generated here had to do with the MSOLAP
provider, but in fact from my discussions, it was stated as being an OLE DB
provider issue.

I would suggest anyone using OPENQUERY or the like try contacting PSS
before throwing themselves under the bus. I've been running their hotfix
for some time now without any errors.

Thanks,

Mark

Mark Deason - President
Silverside Eq. Inc. - A Leasing Solution Provider

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Relevant Pages