Bugtraq mailing list archives

SQL Server Vulnerability details

From: chipandrews () USA NET (Chip Andrews)
Date: Sat, 18 Mar 2000 17:40:48 -0500


Due to the apparent blackout of information about the "SQL Query Abuse"
advisory http://www.microsoft.com/technet/security/bulletin/ms00-014.asp I
wanted to point any interested parties to an English description of the
vulnerability by Sven Hammesfahr.  The detailed description is on his
website at

http://itrain.de/sql/knowhow/security/openrowsete.htm

Also, the "little trick" he refers to is in my opinion the addition of SET
FMTONLY OFF before the execute statement to keep the query from returning
metadata only.  An example exploit would be:

SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data
Source=myserver','SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"')

Test your servers ASAP to keep from becoming a statistic...

-----------------------------------------
Chip Andrews, MCSE+I, MCSD
http://www.sqlsecurity.com
http://www.eexams.com
------------------------------------------

Current thread:

Re: a few bugs ..., (continued)
- - - Re: a few bugs ... Daniel Jacobowitz (Mar 20)
    - Re: a few bugs ... Michal Zalewski (Mar 20)
    - DoS with NAVIEG PAUL VanDyke (Mar 17)
    - [ANNOUNCE] strace for NT tsabin () RAZOR BINDVIEW COM (Mar 13)
    - Linux patch for blocking buffer overflow based attacks massimo () IAC RM CNR IT (Mar 10)
    - ICQ remote DoS Philip Stoev (Mar 10)
  - TESO advisory -- atsadc krahmer () CS UNI-POTSDAM DE (Mar 11)
  - Re: [ Hackerslab bug_paper ] Linux printtool get printer passwor Brian Knotts (Mar 13)
- Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Jason Lutz (Mar 09)
  - Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Chris Paget (Mar 17)
  - SQL Server Vulnerability details Chip Andrews (Mar 18)
- Re: PGP Signatures security BUG! Florian Weimer (Mar 10)
  - Re: PGP Signatures security BUG! Will Price (Mar 20)
  - Esafe Protect Gateway (CVP) does not scan virus under some conditions Hugo.van.der.Kooij () CAIW NL (Mar 21)
    - Re: Esafe Protect Gateway (CVP) does not scan virus under some conditions Alon Rotem (Mar 24)
  - Security bug in Apache project: Jakarta Tomcat Jan Madsen (Mar 21)
  - [TL-Security-Announce] nmh-1.0.2 and earlier TLSA200008-1 Katie Moussouris (Mar 21)
- New Solaris Vulnerability Calculator, Sun Mailing list, and Sun Focus area from SecurityFocus.com Jeremy Rauch (Mar 13)
- Re: PGP Signatures security BUG! Tobias Haustein (Mar 08)
  - Re: PGP Signatures security BUG! Povl H. Pedersen (Mar 09)
- Re: PGP Signatures security BUG! Salzman, Noah (Mar 08)

(Thread continues...)