|
-
March 15th, 2002, 12:56 AM
#1
 new SQL 7 & 2000 Buffer overflows
"INFORMATION ALERT
AN EMERGING ISSUE WITH:
MORE BUFFER OVERFLOWS IN MS SQL 7 AND 2000
SEVERITY:
High
DATE:
March 14, 2002
SUMMARY:
On March 13, Cesar Cerrudo of the SHATTER Team, posted an advisory
<http://www.appsecinc.com/resources/a...l/02-0000.html>
describing many new buffer overflows found in 17 extended stored
procedures in Microsoft SQL Server 7 and 2000. A hacker could
exploit these to either crash your SQL server or, in the worst case,
execute arbitrary code with full system privileges. There is no
direct impact on WatchGuard products. Administrators running
Microsoft SQL Server 7 or 2000 should apply the workaround as soon
as possible. No patch is available.
EXPOSURE:
Microsoft SQL Server 7 and 2000 include hundreds of extended stored
procedures within their Dynamic Linked Libraries (DLL). These
extended stored procedures are chunks of code that perform common,
useful tasks and can be called from within SQL.
Cesar Cerrudo has found that 17 of the extended stored procedures
within Microsoft SQL Server 7 and 2000 contain buffer overflows.
(The SHATTER Team's advisory lists the affected procedures; we link
to it below.)
The overflow is related to the way parameters are passed when
calling these extended stored procedures. If a hacker called one of
the susceptible procedures and injected a long string of data
(usually Unicode) into the parameter, the unchecked string would
overwrite the systems memory. At the very least, this would result
in your server crashing. However, if the overlong string was crafted
properly, a savvy hacker could use this vulnerability to execute
arbitrary code with full system privileges.
Keep in mind, the hacker needs a login on your SQL Server to exploit
this vulnerability. However, obtaining a login may not be as hard as
you think. By default, Microsoft SQL Server includes a guest
account. Since a few of these extended stored procedures are
accessible from the public group, the hacker could exploit this flaw
using the guest account. To exploit the rest of the procedures, the
hacker would need Database Administrator (DBA) level access.
Cerrudo and the SHATTER Team released this advisory straight to the
public without first informing Microsoft. As such, this
vulnerability has yet to be confirmed by Microsoft or a third party.
However, Cerrudo has proven himself to be a reliable source in the
past."
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote