Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [VulnWatch] Notes on the SQL Cumulative patch
From: Dave Aitel <dave () immunitysec com>
Date: 03 Oct 2002 12:16:36 -0400

People in Immunity's Vulnerability Disclosure Club or people who have
purchased CORE Impact or people who have written their own SQL Server
Hello exploit can verify that this statement from the Microsoft Advisory
is, in fact, completely untrue.

The default install, in fact, every install I've run into, gives you
LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant privileges. 

Dave Aitel
Immunity, Inc.

"Unchecked buffer in SQL Server 2000 authentication function

What’s the scope of this vulnerability?

This is a buffer overrun vulnerability. By sending a specially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would
not be necessary for the user to successfully authenticate to the server
in order to exploit the vulnerability.

This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level. "

On Thu, 2002-10-03 at 10:56, David Litchfield wrote:
The cumulative patch at
02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave
Aitel's (www.immunitysec.com) "hello" bug (unauthenticated  buffer overflow
during authentication) is patched here.

Also addressed is the file overwrite vulnerability discussed here

The Microsoft advisory states that "operating system" commands can be
inserted into files - the implication being that batch files can be dropped
into startup folders. This is not true for SQL Server 2000. The text of the
file created is UNICODE, i.e. each character taking two bytes with the
second byte being a NULL. This NULL prevents OS commands from being
executed. The risk posed to SQL Server 2000 systems then is file overwrite
such as ntoskrnl.exe

Please note that I have not tested this on SQL Server 7 and what MS says may
be true about being able to run OS commands on this version - I have a
feeling it is not, though.

It is important that the patch be installed as soon as is possible to fix
Dave Aitel's issue but for the file overwrite issue drop public access from
the relevant stored procedures in the interim as a workaround:

revoke execute on sp_add_job from public
revoke execute on sp_add_jobstep from public
revoke execute on sp_add_jobserver from public
revoke execure on sp_start_job from public

David Litchfield
A check for these issues already exists in NGSSQuirreL
(http://www.nextgenss.com/software/ngssquirrel.html ) and an update is being
made now to cover the other two issues.

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]