Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft SQL Server OLE DB Provider Name Buffer Overflow Vulnerability

Microsoft SQL Server OLE DB Provider Name Buffer Overflow Vulnerability

by Nikola Strahija on February 23rd, 2002 Microsoft SQL Server does not perform proper bounds checking of the provider arguments to the OpenDataSource and OpenRowset functions. As a result, it is possible to cause a buffer overflow condition to occur by providing an excessively long string as a provider name in a query.


Successful exploitation may allow an attacker to execute arbitrary code with the privileges of the database.

There is a possibility that this issue may be exploited remotely, either via a distributed SQL queries or potentially via a SQL injection attack.

Remote: Yes

Exploit: There is no exploit code.

Solution: Microsoft has released fixes:




Microsoft SQL Server 2000 SP2:

Microsoft Patch Q316333
http://support.microsoft.com/default.aspx?scid=http://download.microsoft.com/download/SQLSVR2000/Update/8.00.0578/W982KMeXP/EN-US/8.00.0578.exe

Microsoft SQL Server 2000 SP1:
Microsoft SQL Server 2000 :
Microsoft SQL Server 7.0SP3 alpha:

Microsoft Patch Q318268
http://support.microsoft.com/default.aspx?scid=http://download.microsoft.com/download/sql70/Update/s71021a/ALPHA/EN-US/s71021a.exe

Microsoft SQL Server 7.0SP3:

Microsoft Patch Q318268
http://support.microsoft.com/default.aspx?scid=http://download.microsoft.com/download/sql70/Update/s71021i/WIN98MeXP/EN-US/s71021i.exe

Microsoft SQL Server 7.0SP2 alpha:
Microsoft SQL Server 7.0SP2:
Microsoft SQL Server 7.0SP1 alpha:
Microsoft SQL Server 7.0SP1:
Microsoft SQL Server 7.0alpha:
Microsoft SQL Server 7.0:


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »