September 15th, 2002, 04:07 PM
Reading Between the Lines - Security Bullitains
How do you go about reading between the lines in a security bullitain?
Take this for example:
Another release, same problem:
The Microsoft Data Access Components (MDAC) provide a number of supporting technologies for accessing and using databases. Included among these functions is the underlying support for the T-SQL OpenRowSet command. The vulnerability results because the MDAC functions underlying OpenRowSet contain an unchecked buffer. An attacker who submits a database query containing a special, malformed parameter within a call to OpenRowSet could overrun the buffer, either for the purpose of causing the SQL Server to fail or causing the SQL Server service to take actions dictated by the attacker.
A successful attack using the buffer overflow condition would enable the attacker to run code with the privileges of the SQL Server, in particular those of MDAC. This would give the attacker full control over the database and could give him the ability to obtain administrator privileges on the operating system.
Now I told it to mean that by doing something with a call to OpenRowSet() (perhaps say a form) you could somehow overlaod the server and get access to an SQL command box or something.
In order to exploit the vulnerability, the attacker would need the ability to load and execute a database query on the server. This is strongly discouraged by best practices, and servers that have been configured to prevent this (e.g., with the DisallowAdhocAccess registry setting, as discussed in the FAQ) would not be at risk from the vulnerability.
* Under default conditions, the system-level privileges gained through a successful attack would be those of a Domain User.
* Even though MDAC ships as part of all versions of Windows, the vulnerability can only be exploited on SQL Servers. Customers who are not using SQL Server do not need to take action, despite the fact that MDAC may be installed on their systems.
Now I take it to mean that if you execute an SQL command with a call to OpenRowSet() you could conceivably execute more SQL commands. But if you could issue the first one with the Open..., what would stop you from issuing the second one?
September 15th, 2002, 09:00 PM
you could do this...but the real issue is shellcode not extended or embedded sql commands.
Now I take it to mean that if you execute an SQL command with a call to OpenRowSet() you could conceivably execute more SQL commands