[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Microsoft SQL Server extended stored procedure vulnerability

Title: Microsoft SQL Server extended stored procedure vulnerability
Released by: @stake
Date: 1st December 2000
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





                              @stake Inc.

                            www.atstake.com



                           Security Advisory



Advisory Name: Microsoft SQL Server extended stored procedure vulnerability

 Release Date: 12/01/2000

  Application: MS SQL Server 7.0 - all service packs

          MS SQL Server 2000 

     Platform: Windows NT 4.0 / 2000

     Severity: There are several buffer overflow conditions

               that could result in execution of arbitrary

               code or a denial of service.

       Author: David Litchfield [dlitchfield@atstake.com]

Vendor Status: Vendor has patch, see below

          Web: www.atstake.com/research/advisories/2000/a120100-1.txt





Overview:



Microsoft's database server, known as SQL Server, contains several

buffer overruns vulnerabilities that can be remotely exploited to execute

arbitrary computer code on the affected system, thus allowing an attacker

to gain complete control of the server. In situations where the SQL Server

is protected by a firewall, it may still be possible to launch this attack

through a connecting web server - though this depends on how secure the

web server's application is.





Details:



To add further functionality to SQL server there are extended

stored procedures that perform one task or another. When an overly long

string parameter is provided to several of these procedures a buffer is

overrun. Ironicly it appears that these overruns occur in part of the

exception handling calls made by SQL server to protect itself. The

procdures known to be vulnerable xp_displayparamstmt, xp_enumresultset,

xp_showcolv and xp_updatecolvbm. Each of these stored procedures are

exported by xprepl.dll and may be executed by PUBLIC, ostensibly everyone

who can login to the database server, even low privileged logins. If the

overruns are exploited the code runs in the context of the powerful SYSTEM

account.



Once the overflow occurs, the EAX register points to the user supplied

data and to force the processor to execute code supplied in this buffer

the saved return address would need to be overwritten by an address that

contained a 'jmp eax' or 'call eax' instruction. Examining the DLLs loaded

into the address space shows that the DLL with the vulnerability,

xprepl.dll, does not change across SQL service packs, with SQL Server 7,

at least. If such an instruction could be found in this DLLs address space

then any proof of concept code would work across all SQL service packs. As

it happens these instructions do not exist in this DLL. However, a 'call

esi' instruction exists and on overrun the esi register points to 4 bytes

above where the saved return address is overwritten. By overwriting the

saved return address with the address that contains the 'call esi'

instruction and by setting the bytes at esi to FF E0 (jmp eax), when the

'call esi' executes, the 'jmp eax' executes and the code has "stepped

over" the DWORD that overwrote the saved return address.





Proof of Concept:



   Source code available at:

   http://www.atstake.com/research/advisories/2000/sqladv-poc.c



Vendor Response:



    Microsoft has released a bulletin describing this issue:

    http://www.microsoft.com/technet/security/bulletin/ms00-092.asp



    Microsoft has released a patch to fix this problem:

    http://support.microsoft.com/support/sql/xp_security.asp





Recommendation:



Disallow PUBLIC execute access to these extended stored procedures usless

you need it.



Install the vendor supplied patch.





Common Vulnerabilities and Exposures (CVE) Information:



The Common Vulnerabilities and Exposures (CVE) project has assigned

the following names to these issues.  These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.



  xp_displayparamstmt - CAN-2000-1081

  xp_enumresultset - CAN-2000-1082

  xp_showcolv - CAN-2000-1083

  xp_updatecolvbm - CAN-2000-1084



Advisory Release policy: http://www.atstake.com/research/policy/

For more advisories: http://www.atstake.com/research/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc



Copyright 2000 @stake, Inc. All rights reserved



-----BEGIN PGP SIGNATURE-----

Version: PGP 7.0



iQA/AwUBOigPU1ESXwDtLdMhEQLfJACfV63OW23pqRnUGAaP79CdgCyU254An13i

H7i221TwYIS90iTyAPnLaaua

=9nvr

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.