[NT] Multiple Overflow and Format String Vulnerabilities in Microsoft SQL Server
From: support@securiteam.comDate: 12/24/01
- Previous message: support@securiteam.com: "[NT] UPNP - Multiple Remote Windows XP/ME/98 Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 24 Dec 2001 12:02:22 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Multiple Overflow and Format String Vulnerabilities in Microsoft SQL
Server
------------------------------------------------------------------------
SUMMARY
This advisory describes multiple vulnerabilities in Microsoft SQL Server
7.0 and 2000 that allow an attacker to run arbitrary code on the SQL
Server in the context of the account that SQL Server is running under
(normally an administrator).
A common attack scenario is to use web application vulnerabilities to send
arbitrary queries to a backend SQL Server that is otherwise protected from
direct attack via the internet. More information detailing this type of
attack, known as SQL Command Injection, is available at:
<http://www.owasp.org/projects/asac/iv-sqlinjection.shtml>
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml.
DETAILS
SQL Server provides built-in functions for the formatting of error
messages based on c - style format specifiers. These built-in functions
are accessible to all users. Providing maliciously crafted input to these
functions results in exploitable error conditions in the SQL Server
process.
The raiserror() function is accessible to all users, and permits the
specification of an overly long length specifier. This results in an
exploitable overflow. Additionally, format string specifiers can be used,
enabling an attacker to overwrite an arbitrary address in memory. This can
result in the execution of arbitrary code.
The formatmessage() built in function is accessible to all users. By
creating specifically crafted messages, any user can subsequently cause
malicious code contained in the message to be executed.
The xp_sprintf extended stored procedure (which is accessible to the
'public' role by default) permits the specification of overly long length
specifiers. This results in an exploitable overflow.
Vendor response:
Microsoft has issued a bulletin on this issue:
<http://www.microsoft.com/technet/security/bulletin/MS01-060.asp>
http://www.microsoft.com/technet/security/bulletin/MS01-060.asp
Microsoft has released patches for:
* SQL Server:
* SQL Server 7.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131
SQL Server 2000:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34131
C Runtime:
Windows NT 4.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500
Windows 2000:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500
Windows XP:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=35023>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=35023
Recommendations:
Apply the vendor patches.
Do not permit direct connections to SQL Server by untrusted users.
This can be achieved by:
1) Removing all unused connection 'protocols' using the SQL Server Network
Utility
2) Using network packet filtering devices
3) Configuring Windows 2000 IP Security filters on the SQL Server to
permit only trusted connections
If the SQL Server is being connected to from an application server or web
server farm, ensure that appropriate server side input validation is in
place. Specifically, ensure that users cannot insert SQL commands into
input data by specifying the ' character (among others). Countermeasures
are detailed here:
<http://www.owasp.org/projects/asac/iv-sqlinjection.shtml>
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml
Essentially, the aim is to permit only input that is explicitly known to
be 'good' and reject all other input.
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@atstake.com>
@stake advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] UPNP - Multiple Remote Windows XP/ME/98 Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
