Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020

From: "Toni Lassila" <toni.lassila () mc-europe com>
Date: Thu, 18 Apr 2002 12:50:53 +0300
This MS bulletin mentions several extended stored procedures are
vulnerable, does anyone have a list or an idea if any of these have by
default exec permissions for the group 'public'?

At least one confirmed case of buffer overflow:



xp_enumgroups '<long string>'


[Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionCheckForData
(CheckforData()).
Server: Msg 11, Level 16, State 1, Line 0
General network error. Check your network documentation.

Connection Broken


And in the event log:

Error: 0, Severity: 19, State: 0
SqlDumpExceptionHandler: Process 53 generated fatal exception c0000005
EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process. 

Error: 0, Severity: 21, State: 0
SQL Server is aborting. Fatal exception 0 caught. 


SQL Server has to be manually restarted after the second time this crash
occurs. This is on SQL Server 2000 (8.00.194) with no SPs, running on
Windows 2000 Server SP2.

HOWEVER, xp_enumgroups requires sysadmin privileges:

"Execute permissions for xp_enumgroups default to members of the db_owner
fixed database role in the master database and members of the sysadmin
fixed server role, but can be granted to other users."

So unless you explicitly give this right to some user/login it won't be
an issue. The sysadmin can crash it anyways. My worry is, there are a
bunch of other extended stored procs listed in the master DB that might
have similar vulnerability but not restricted as to who can execute them.

If this is indeed is the case then the patch is a "must-install" if you
allow workstations to connect directly and login to your SQL Server.



-----Original Message-----
From: Microsoft
[mailto:0_29486_DD755D68-884D-464F-9160-D7BC19343BFF_US@Newsle
tters.Micr
osoft.com]
Sent: Thursday, April 18, 2002 4:38
To: Toni Lassila
Subject: Microsoft Security Bulletin MS02-020:SQL Extended Procedure
Functions Contain Unchecked Buffers (Q319507)

Issue:
======
SQL Server 7.0 and 2000 provide for extended stored procedures,
which are external routines written in a programming language such
as C. These procedures appear to users as normal stored procedures
and are executed in the same way. SQL Server 7.0 and 2000 include
a number of extended stored procedures which are used for various
helper functions 


-- 
Toni Lassila        toni.lassila () mc-europe com
Operations Engineer           +358 9 5655 1882
Previous By Date Next
Previous By Thread Next

Current thread: