MSSQL HEllo bug

From: Dave Aitel (dave@IMMUNITYSEC.COM)
Date: 10/03/02


Date:         Thu, 3 Oct 2002 12:18:36 -0400
From: Dave Aitel <dave@IMMUNITYSEC.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

People in Immunity's Vulnerability Disclosure Club or people who have
purchased CORE Impact or people who have written their own SQL Server
Hello exploit can verify that this statement from the Microsoft Advisory
is, in fact, completely untrue.

The default install, in fact, every install I've run into, gives you
LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant privileges.

Dave Aitel
Immunity, Inc.

"Unchecked buffer in SQL Server 2000 authentication function
(CAN-2002-1123):

What’s the scope of this vulnerability?

This is a buffer overrun vulnerability. By sending a specially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would
not be necessary for the user to successfully authenticate to the server
in order to exploit the vulnerability.

This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level. "



Relevant Pages

  • [NT] SQL Server 2000 Buffer Overflows and SQL Injection Vulnerabilities
    ... allow maintenance and other operations to be performed on a SQL Server, ... fixed database role can run this command. ... Buffer Overrun Vulnerability in Database Consistency Checkers: ... privileges, and only should be granted to trusted users. ...
    (Securiteam)
  • [NT] Cumulative Patch for SQL Server
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... released patches for SQL Server 2000. ... * A buffer overrun vulnerability in a procedure used to encrypt SQL ... An attacker who was able to successfully ...
    (Securiteam)
  • [NT] Another Cumulative Patch for SQL Server Released
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... previously released patches for SQL Server 7.0, SQL Server 2000, and ... malformed login request to an affected server, an attacker could either ... * A buffer overrun vulnerability that occurs in one of the Database ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #96
    ... MICROSOFT VULNERABILITY SUMMARY ... W3C Jigsaw Device Name Path Disclosure Vulnerability ... Microsoft SQL Server 2000 Incorrect Registry Key Permissions... ... Mirabilis ICQ Sound Scheme Remote Configuration Modification Vulnerability ...
    (Focus-Microsoft)
  • [NT] SQL Server Text Formatting Functions Suffer from Buffer Overflows
    ... SQL Server 7.0 and 2000 provide a number of functions that enable database ... The second vulnerability results because of a format string vulnerability ... installed on Windows NT 4.0, Windows 2000, or Windows XP. ... An attacker could exploit the vulnerabilities in either of two ways. ...
    (Securiteam)