Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1003
HistoryDec 02, 2000 - 12:00 a.m.

@stake Advisory: Microsoft SQL Server extended stored procedure vulnerability (A120100-1)

2000-12-0200:00:00
vulners.com
15
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                          @stake Inc.
                        www.atstake.com

                       Security Advisory

Advisory Name: Microsoft SQL Server extended stored procedure
vulnerability
Release Date: 12/01/2000
Application: MS SQL Server 7.0 - all service packs
MS SQL Server 2000
Platform: Windows NT 4.0 / 2000
Severity: There are several buffer overflow conditions
that could result in execution of arbitrary
code or a denial of service.
Author: David Litchfield [[email protected]]
Vendor Status: Vendor has patch, see below
Web: www.atstake.com/research/advisories/2000/a120100-1.txt

Overview:

    Microsoft's database server, known as SQL Server, contains several

buffer overruns vulnerabilities that can be remotely exploited to execute
arbitrary computer code on the affected system, thus allowing an attacker
to gain complete control of the server. In situations where the SQL Server
is protected by a firewall, it may still be possible to launch this attack
through a connecting web server - though this depends on how secure the
web server's application is.

Details:

    To add further functionality to SQL server there are extended

stored procedures that perform one task or another. When an overly long
string parameter is provided to several of these procedures a buffer is
overrun. Ironicly it appears that these overruns occur in part of the
exception handling calls made by SQL server to protect itself. The
procdures known to be vulnerable xp_displayparamstmt, xp_enumresultset,
xp_showcolv and xp_updatecolvbm. Each of these stored procedures are
exported by xprepl.dll and may be executed by PUBLIC, ostensibly everyone
who can login to the database server, even low privileged logins. If the
overruns are exploited the code runs in the context of the powerful SYSTEM
account.

Once the overflow occurs, the EAX register points to the user supplied
data and to force the processor to execute code supplied in this buffer
the saved return address would need to be overwritten by an address that
contained a 'jmp eax' or 'call eax' instruction. Examining the DLLs loaded
into the address space shows that the DLL with the vulnerability,
xprepl.dll, does not change across SQL service packs, with SQL Server 7,
at least. If such an instruction could be found in this DLLs address space
then any proof of concept code would work across all SQL service packs. As
it happens these instructions do not exist in this DLL. However, a 'call
esi' instruction exists and on overrun the esi register points to 4 bytes
above where the saved return address is overwritten. By overwriting the
saved return address with the address that contains the 'call esi'
instruction and by setting the bytes at esi to FF E0 (jmp eax), when the
'call esi' executes, the 'jmp eax' executes and the code has "stepped
over" the DWORD that overwrote the saved return address.

Proof of Concept:

Source code available at:
http://www.atstake.com/research/advisories/2000/sqladv-poc.c

Vendor Response:

Microsoft has released a bulletin describing this issue:
http://www.microsoft.com/technet/security/bulletin/ms00-092.asp

Microsoft has released a patch to fix this problem:
http://support.microsoft.com/support/sql/xp_security.asp

Recommendation:

Disallow PUBLIC execute access to these extended stored procedures usless
you need it.

Install the vendor supplied patch.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

xp_displayparamstmt - CAN-2000-1081
xp_enumresultset - CAN-2000-1082
xp_showcolv - CAN-2000-1083
xp_updatecolvbm - CAN-2000-1084

Advisory Release policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOigPU1ESXwDtLdMhEQLfJACfV63OW23pqRnUGAaP79CdgCyU254An13i
H7i221TwYIS90iTyAPnLaaua
=9nvr
-----END PGP SIGNATURE-----

Related

cve 4
openvas 1
cve
cve
CVE-2000-1082
2001-01-09 05:00:00
CVE-2000-1084
2001-01-09 05:00:00
CVE-2000-1081
2001-01-09 05:00:00
openvas
openvas
Microsoft's SQL Version Query
2006-03-26 00:00:00
JSON
Related for SECURITYVULNS:DOC:1003
cve4openvas1