new SQL 7 & 2000 Buffer overflows
Results 1 to 3 of 3

Thread: new SQL 7 & 2000 Buffer overflows

  1. #1
    Senior Member
    Join Date
    Jan 2002

    Exclamation new SQL 7 & 2000 Buffer overflows




    March 14, 2002

    On March 13, Cesar Cerrudo of the SHATTER Team, posted an advisory
    describing many new buffer overflows found in 17 extended stored
    procedures in Microsoft SQL Server 7 and 2000. A hacker could
    exploit these to either crash your SQL server or, in the worst case,
    execute arbitrary code with full system privileges. There is no
    direct impact on WatchGuard products. Administrators running
    Microsoft SQL Server 7 or 2000 should apply the workaround as soon
    as possible. No patch is available.


    Microsoft SQL Server 7 and 2000 include hundreds of extended stored
    procedures within their Dynamic Linked Libraries (DLL). These
    extended stored procedures are chunks of code that perform common,
    useful tasks and can be called from within SQL.

    Cesar Cerrudo has found that 17 of the extended stored procedures
    within Microsoft SQL Server 7 and 2000 contain buffer overflows.
    (The SHATTER Team's advisory lists the affected procedures; we link
    to it below.)

    The overflow is related to the way parameters are passed when
    calling these extended stored procedures. If a hacker called one of
    the susceptible procedures and injected a long string of data
    (usually Unicode) into the parameter, the unchecked string would
    overwrite the systems memory. At the very least, this would result
    in your server crashing. However, if the overlong string was crafted
    properly, a savvy hacker could use this vulnerability to execute
    arbitrary code with full system privileges.

    Keep in mind, the hacker needs a login on your SQL Server to exploit
    this vulnerability. However, obtaining a login may not be as hard as
    you think. By default, Microsoft SQL Server includes a guest
    account. Since a few of these extended stored procedures are
    accessible from the public group, the hacker could exploit this flaw
    using the guest account. To exploit the rest of the procedures, the
    hacker would need Database Administrator (DBA) level access.

    Cerrudo and the SHATTER Team released this advisory straight to the
    public without first informing Microsoft. As such, this
    vulnerability has yet to be confirmed by Microsoft or a third party.
    However, Cerrudo has proven himself to be a reliable source in the
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    You're just full of good news today, aren't you..... Nice catch. This goes with the CERT warning I just got about Oracle 7,8,9i vulnerabilities.. This is not looking good.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Dec 2001
    zigar - I've not even finished patching the servers from the last one. Good post, and post the fix link if you get it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts