[NT] Buffer Overflow in UDP Broadcasts for Microsoft SQL Server Client Utilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/24/03

  • Next message: SecuriTeam: "[NEWS] Vonage VOIP 3-way call CID Spoofing Vulnerability" 
    To: list@securiteam.com
Date: 24 Aug 2003 17:21:53 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overflow in UDP Broadcasts for Microsoft SQL Server Client
    Utilities
    ------------------------------------------------------------------------

    SUMMARY

    A Unicode buffer overflow exists in MDAC that is used by the SQL Server
    SQL-DMO library that could allow a remote user to execute malicious code
    on the target computer. The vulnerability does not occur when accepting
    incoming connections, but rather in the response to broadcast queries.

    DETAILS

    One of the features of the SQL Server network libraries is the ability to
    query a list of SQL Servers on the local network. This is accomplished by
    sending a UDP broadcast on port 1434 that will reach all applications on
    the local subnet. This function is a component of SQL-DMO that is used by
    the SQL Server Service Manager (whenever it is started), Enterprise
    Manager (when registering a server), Query Analyzer, and SQL Profiler
    (when clicking "..." button), DTS (when selecting a SQL Server), etc...

    All SQL Servers receiving the broadcast request respond with a standard
    UDP packet. If a malicious machine responds to this broadcast with an
    overlong packet, a stack buffer overflow will occur. The overflow occurs
    in a UNICODE string, so the Venetian method of performing a buffer
    overflow would need to be used to exploit this vulnerability. There is a
    white paper from Chris Ansley on how this is done, as well as a
    presentation from Dave Aitel.

    Any SQL Server utilities that use the SQL-DMO function to retrieve a list
    of SQL Servers will be vulnerable to this attack. An attack is not mounted
    directly against the target. Instead, an attacker could attempt several
    methods of exploiting the vulnerability:

    1) Setup a service listening for data on UDP port 1434 and responding with
    the attack payload whenever data is received. This network would require
    being on the same subnet.

    2) Bombarding a remote subnet with UDP attack packets waiting for someone
    to query the network. For example, send the attack packet every 2 seconds
    to 192.168.3.255 will reach all machines on the 192.168.3.x subnet. When
    someone finally does send a UDP broadcast, they will accept this packet
    and be exploited. This method would take a bit of luck, persistence, or
    some social engineering.

    3) It may also be possible for a non-privileged login in MS SQL to cause
    the SQL Server to send out a query request directly to an IP Address on
    the network. The following SQL statement causes the SQL Server to query a
    host named SERVER with a UDP packet:
    SELECT * FROM openrowset( 'SQLOLEDB', 'server=SERVER\instance
    name;uid=sa;pwd=', '')

    However, on our systems, we were unable to trigger the overflow from the
    response. There may be other methods to cause the SQL Server to send the
    UDP query and trigger the overflow.

    One of the features of SQL Server that makes this vulnerability simpler to
    exploit is that the SQL Server Service Manager queries the network using
    SQL-DMO every time it starts which happens when a user with the SQL Server
    client utilities logs into Windows. This would occur anytime someone
    logged into the Windows server on which SQL Server is installed, or
    anytime a database administrator logs into his or her machine.

    Vendor response:
    See the following advisory: <http://www.microsoft.com/
    technet/security/bulletin/MS03-033.asp> http://www.microsoft.com/
    technet/security/bulletin/MS03-033.asp.

    Fix:
    This vulnerability affects the following packages:
    Microsoft Data Access Components 2.7 SP1
    Microsoft Data Access Components 2.7
    Microsoft Data Access Components 2.6 SP2
    Microsoft Data Access Components 2.5 SP3
    Microsoft Data Access Components 2.5 SP2

    If you have one of these packages installed, apply the hot fix from
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;823718>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;823718.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aaron@newman-family.com>
    Aaron C. Newman.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Vonage VOIP 3-way call CID Spoofing Vulnerability"

    Relevant Pages