mailing list archives
Another Sql Server 7 Buffer Overflow
From: c c <cesarc56 () yahoo com>
Date: Tue, 5 Mar 2002 08:20:04 -0800 (PST)
Name : Another Sql Server 7 Buffer Overflow
System Affected : Sql Server 7 all service packs and
fixes, ver. 7.00.1021
Severity : High.
Remote Exploit: Yes
Author: Cesar Cerrudo.
Advisory Number: CC030202
The extended store procedure xp_dirtree allows to ALL
users to retrieve the subdirectory structure of a
given drive o folder.
The buffer overflow ocurr when an overly long string
is supplied :
xp_dirtree 'XXXXXX...'----> many, many X's
I did some tests and it seems that in that way is hard
or imposible to exploit. But if you pass the parameter
as unicode :
xp_dirtree N'XXXXXX...'----> many, many X's
then you can crash the server and exploit the buffer
overflow. Unicode buffer overflows are a bit harder to
exploit but not imposible.
Drop the extended store procedure and its DLL.
Vendor Status :
Microsoft was not contacted.
--------------->More comming soon...<-----------------
Important Note to security researchers:
I'm doing some research in Sql Server security and i
have found many, many interesting things (vulns,
overflows, etc.), but i don't have the proper
equipment nor systems and pc's to do extensive test.
So people who are interested in doing research in Sql
Server and have the knowledge and resources feel free
to contact me.
cesarc56 () yahoo com
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
- Another Sql Server 7 Buffer Overflow c c (Mar 05)