SQLServer: pwdencrypt function buffer overflow

From: Zaccarin Massimo (massimo@ERANET.TV)
Date: 06/17/02


Date:         Mon, 17 Jun 2002 09:36:11 +0200
From: Zaccarin Massimo <massimo@ERANET.TV>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

From sqlsecurity.com:

6/14/2002 - Jimmers Strikes Again!
Jimmers (Martin Rakhmanoff), the guy that brought us the ODBC Encrypt reversal, has alerted the world to a buffer/heap overflow in the pwdencrypt() function in SQL Server. SQL Server 2000 is confirmed vulnerable using SELECT pwdencrypt(REPLICATE('A',353)) (more bytes may be needed in some systems). Assume previous versions vulnerable unless you hear otherwise. No current workarounds. Microsoft alerted to issue. Starting to feel like finding BOs in SQL Server is going to be a lucritive enterprise. The biggest problem companies are going to have is staggering the releases so they don't blow all their press in one shot...