March 14th, 2002, 11:56 PM
new SQL 7 & 2000 Buffer overflows
AN EMERGING ISSUE WITH:
MORE BUFFER OVERFLOWS IN MS SQL 7 AND 2000
March 14, 2002
On March 13, Cesar Cerrudo of the SHATTER Team, posted an advisory
describing many new buffer overflows found in 17 extended stored
procedures in Microsoft SQL Server 7 and 2000. A hacker could
exploit these to either crash your SQL server or, in the worst case,
execute arbitrary code with full system privileges. There is no
direct impact on WatchGuard products. Administrators running
Microsoft SQL Server 7 or 2000 should apply the workaround as soon
as possible. No patch is available.
Microsoft SQL Server 7 and 2000 include hundreds of extended stored
procedures within their Dynamic Linked Libraries (DLL). These
extended stored procedures are chunks of code that perform common,
useful tasks and can be called from within SQL.
Cesar Cerrudo has found that 17 of the extended stored procedures
within Microsoft SQL Server 7 and 2000 contain buffer overflows.
(The SHATTER Team's advisory lists the affected procedures; we link
to it below.)
The overflow is related to the way parameters are passed when
calling these extended stored procedures. If a hacker called one of
the susceptible procedures and injected a long string of data
(usually Unicode) into the parameter, the unchecked string would
overwrite the systems memory. At the very least, this would result
in your server crashing. However, if the overlong string was crafted
properly, a savvy hacker could use this vulnerability to execute
arbitrary code with full system privileges.
Keep in mind, the hacker needs a login on your SQL Server to exploit
this vulnerability. However, obtaining a login may not be as hard as
you think. By default, Microsoft SQL Server includes a guest
account. Since a few of these extended stored procedures are
accessible from the public group, the hacker could exploit this flaw
using the guest account. To exploit the rest of the procedures, the
hacker would need Database Administrator (DBA) level access.
Cerrudo and the SHATTER Team released this advisory straight to the
public without first informing Microsoft. As such, this
vulnerability has yet to be confirmed by Microsoft or a third party.
However, Cerrudo has proven himself to be a reliable source in the
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
March 14th, 2002, 11:59 PM
You're just full of good news today, aren't you..... Nice catch. This goes with the CERT warning I just got about Oracle 7,8,9i vulnerabilities.. This is not looking good.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
March 15th, 2002, 12:04 AM
zigar - I've not even finished patching the servers from the last one. Good post, and post the fix link if you get it.