Results 1 to 2 of 2

Thread: Reading Between the Lines - Security Bullitains

  1. #1
    Junior Member
    Join Date
    Aug 2002
    Posts
    4

    Question Reading Between the Lines - Security Bullitains

    How do you go about reading between the lines in a security bullitain?

    Take this for example:

    The Microsoft Data Access Components (MDAC) provide a number of supporting technologies for accessing and using databases. Included among these functions is the underlying support for the T-SQL OpenRowSet command. The vulnerability results because the MDAC functions underlying OpenRowSet contain an unchecked buffer. An attacker who submits a database query containing a special, malformed parameter within a call to OpenRowSet could overrun the buffer, either for the purpose of causing the SQL Server to fail or causing the SQL Server service to take actions dictated by the attacker.

    A successful attack using the buffer overflow condition would enable the attacker to run code with the privileges of the SQL Server, in particular those of MDAC. This would give the attacker full control over the database and could give him the ability to obtain administrator privileges on the operating system.
    Another release, same problem:
    In order to exploit the vulnerability, the attacker would need the ability to load and execute a database query on the server. This is strongly discouraged by best practices, and servers that have been configured to prevent this (e.g., with the DisallowAdhocAccess registry setting, as discussed in the FAQ) would not be at risk from the vulnerability.
    * Under default conditions, the system-level privileges gained through a successful attack would be those of a Domain User.
    * Even though MDAC ships as part of all versions of Windows, the vulnerability can only be exploited on SQL Servers. Customers who are not using SQL Server do not need to take action, despite the fact that MDAC may be installed on their systems.
    Now I told it to mean that by doing something with a call to OpenRowSet() (perhaps say a form) you could somehow overlaod the server and get access to an SQL command box or something.
    Now I take it to mean that if you execute an SQL command with a call to OpenRowSet() you could conceivably execute more SQL commands. But if you could issue the first one with the Open..., what would stop you from issuing the second one?

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    Now I take it to mean that if you execute an SQL command with a call to OpenRowSet() you could conceivably execute more SQL commands
    you could do this...but the real issue is shellcode not extended or embedded sql commands.
    -droby10

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •