Microsoft SQL Server 2000,7 OpenRowSet Buffer Overflow vulnerability (#NISR02072002)

From: NGSSoftware Insight Security Research (nisr@NEXTGENSS.COM)
Date: 08/03/02


Date:         Sat, 3 Aug 2002 01:55:57 +0100
From: NGSSoftware Insight Security Research <nisr@NEXTGENSS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NGSSoftware Insight Security Research Advisory

Name: OpenRowSet Buffer Overflows
Systems: Microsoft SQL Server 2000 and 7, all Service Packs
Severity: High Risk
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/mssql-ors.txt
Date: 2nd July 2002
Advisory number: #NISR02072002
VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt

This advisory covers the solution to one of the problems mentioned in the
above VNA URL.

Description
***********
Microsoft's database servers SQL Server 2000 and 7 have a remotely
exploitable buffer overrun vulnerability in the OpenRowSet function.
OpenRowSet allows users to run ad hoc queries on the server.

Details
*******
By passing overly parameters to certain Providers using the OpenRowSet
functions an attacker can overwrite program control data, such as saved
return addresses on the stack. This allows an attacker to gain control over
the SQL Server process and run arbitrary code. Any code provided by an
attacker will execute in the secuirty context of the account used to run SQL
Server. Often this is the powerful local SYSTEM account and in this case an
attacker can not only compromise all SQL Server data but completely control
the operating system too. Where SQL Server is running in the context of a
domain user they will only gain access to the server's data. Neither of
these two situations are desirable and as such SQL Server administrators
should patch this as soon as they can.

Fix Information
***************
NGSSoftware alerted Microsoft to this problem on the 15th of May 2002 and
they have since released a patch to resolve this problem. Please see

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-040.asp

for more details. Further one can prevent users from running adhoc queries
by setting DisallowAdhocAccess to 1 for each provider under the following
registry key HKLM\Software\Microsoft\MSSQLServer\Providers\. If the value
does not exist already then it can be created as a new DWORD value.

A check for this vulnerability has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which, more information is available
from the NGSSite, http://www.ngssoftware.com/

Further Information
********************
For more information regarding SQL Injection please read

http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

and for more information about buffer overflows please read

http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf



Relevant Pages