Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft SQL Server 2000 OpenDataSource Buffer Overflow

Microsoft SQL Server 2000 OpenDataSource Buffer Overflow

by Nikola Strahija on June 19th, 2002 Microsoft's database server SQL Server 2000 has a remotely exploitable buffer overrun vulnerability in the OpenDataSource function when combined with the MS Jet Engine. Due to this being a JET problem other products may also be vulnerable; however the fix for all products should be the same. Please see the "Fix Information" section for more details.


Details
*******
By making a specially crafted SQL query using the OpenDataSource function it
is possible to overflow a buffer in the SQL Server process, gaining control
of its execution remotely. If the SQL Server is running with SYSTEM
privileges, this is default behaviour, then any code supplied by the
attacker in an exploit of the overflow will run uninhibited. Whilst the
overflow is UNICODE in nature, as will be shown, it is still very easy to
exploit.

What must be stressed is that this may be launched via a web server
application if it is vulnerable to SQL Injection so just because no direct
access can be gained to the SQL Server from the Internet does not mean it is
safe. All customers running SQL Server should check their patch level.


Simple Proof of Concept
***********************
This Transact SQL Script will create a file called "SQL-ODSJET-BO" on the
root of the C: drive
on Windows 2000 SP 2 machines


-------88---------





Fix Information
***************
NGSSoftware alerted Microsoft to this problem on the 16th of May 2002 and
after investigation Microsoft recommend that customers should upgrade their
version of Jet. The latest version is available from here:

http://www.microsoft.com/windows2000/downloads/recommended/q282010/default.a
sp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D38002%26area%3Dsearc
h%26ordinal%3D2%26redirect%3Dno


A check for this vulnerability has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which, more information is available
from the NGSSite, http://www.ngssoftware.com/

Further Information
********************
For more information regarding SQL Injection please read

http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

and for more information about buffer overflows please read

http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »