OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: c c (cesarc56yahoo.com)
Date: Tue Feb 19 2002 - 09:55:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                                    Security Advisory

    Name : MSDE, Sql Server 7 & 2000 Adhoc
    Heterogenous Queries Buffer Overflow and DOS.
    System Affected: MSDE, Sql Server 7, Sql Server 2000
    with all service packs and fixes applied.
    Severity: High
    Author: Cesar Cerrudo.
    Date: 19th February 2002
    Advisory Number: CC020201

    Description:

    Distributed queries access data from multiple
    heterogeneous data sources, which can be stored in
    either
    the same or different computers. Microsoft SQL Server
    supports distributed queries by using OLE DB,
    the Microsoft specification of an application
    programming interface (API) for universal data access.
    Distributed queries provide SQL Server users with
    access to:
    -Distributed data stored in multiple computers that
    are running SQL Server.
    -Heterogeneous data stored in various relational and
    non-relational data sources that can be accessed using

    an OLE DB provider.

    You can reference heterogeneous OLE DB data sources in
    Transact-SQL statements by:
    -Linked servers , OpenQuery funtion.
    -OpenDataSource and OpenRowset functions.

    OpenDataSource and OpenRowset functions are accessible
    to all users and contain an unchecked buffer in
    one of its parameters. The buffer overflow and DOS
    problem ocurr when an overly long string is supplied
    in
    the "provider name" parameter.

    Details:

    In Sql server 7 overflow starts at character number
    6819 and if the amount
    of characteres is >= 6918 the server will crash :

    SELECT *
    FROM OpenDataSource(
    'XXXXXXXXXXX...' ---> 6819 characteres or more
    ,'')...nothing

    SELECT * FROM OPENROWSET(
    'XXXXXXXXXXX...' ---> 6819 characteres or more
    ,'',
    '')

    In Sql server 2000 overflow starts at character number
    6887 and if the amount
    of characteres is >= 6998 the server will crash :

    SELECT *
    FROM OpenDataSource(
    'XXXXXXXXXXX...' ---> 6887 characteres or more
    ,'')...nothing

    SELECT * FROM OPENROWSET(
    'XXXXXXXXXXX...' ---> 6887 characteres or more
    ,'',
    '')

    Depend on de amount of characters some registry values
    are overwriten.
    Try with this examples and then take a look at the
    dump file.

    Patch Available:
    NONE

    Workaround:
    Shutdown the servers.

    Vendor Status :
    Microsoft was contacted. When i contacted them i
    explicitly told them that i would apply RFPolicy v2.
    They asked me for the details and i gave it to them
    and then they told me that they would contact me
    again.
    The first time they walk in the edge of the policy and
    in the 5th day they contacted me again. Now i havent
    been
    contacted by them in the last 8 days, so i disclose
    the information. Maybe this is a new Microsoft's
    policy, to not
    contact the researcher in the proper time and not
    expend time in writing a three words mail.
    One more thing Microsoft doesn't digitally sign the
    mails from the Security Response Center when they
    contact you,
    i think this is a vulnerability.

    I discover another 3 or 4 security holes in sql server
    with diverse severity, i will release them soon.

    Dont blame me for this please, blame
    MICROSOFT!!!!!!!!!.

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Sports - Coverage of the 2002 Olympic Games
    http://sports.yahoo.com