MSSQL HEllo bug

From: Dave Aitel (dave@IMMUNITYSEC.COM)
Date: 10/03/02


Date:         Thu, 3 Oct 2002 12:18:36 -0400
From: Dave Aitel <dave@IMMUNITYSEC.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

People in Immunity's Vulnerability Disclosure Club or people who have
purchased CORE Impact or people who have written their own SQL Server
Hello exploit can verify that this statement from the Microsoft Advisory
is, in fact, completely untrue.

The default install, in fact, every install I've run into, gives you
LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant privileges.

Dave Aitel
Immunity, Inc.

"Unchecked buffer in SQL Server 2000 authentication function
(CAN-2002-1123):

What’s the scope of this vulnerability?

This is a buffer overrun vulnerability. By sending a specially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would
not be necessary for the user to successfully authenticate to the server
in order to exploit the vulnerability.

This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level. "