Users login

Create an account »


Users login

Home » Hacking News » BULK INSERT Buffer Overflow

BULK INSERT Buffer Overflow

by Nikola Strahija on July 12th, 2002 Microsoft's SQL Server 2000 contains functionality that allows a database owner to populate a table with data with one fell swoop using the 'BULK INSERT' query. This functionality contains a remotely exploitable buffer overrun vulnerability that can be exploited by an attacker to run arbitrary code.

The 'BULK INSERT' query will take a user supplied file name and insert the
contents of this file into a specified table. By supplying an overly long
filename to the query, a buffer is overflowed and the saved return address
stored on the stack is overwritten. This allows the attacker to gain control
over the process'
execution. SQL Server 2000 can be run in the security context of a domain
account or LOCAL SYSTEM, so depending upon the particular setup, an attacker
may be able to gain complete control over the vulnerable system.

To be able to use the 'BULK INSERT' query one must have the privileges of
the database owner or dbo. Note this does not necessarily imply 'sa'

Another point to note is that whilst this overflow is 'UNICODE' in nature by
supplying code as a UNICODE string exploitation is made easier.

Fix Information
NGSSoftware alerted Microsoft to this problem on the 28th May 2002.
Microsoft have created a patch.

Please see their bulletin for more details:

Whilst NGSSoftware rate this as a medium risk issue, we still urge customers
to apply the patch as soon as is possible as it contains fixes for other
issues such as a buffer overflow in the pwdencrypt() function.

Further Information

For further information about the scope and effects of buffer overflows,
please see

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »