From advisories@ATSTAKE.COM Fri Dec 1 16:31:01 2000 From: "@stake Advisories" To: BUGTRAQ@SECURITYFOCUS.COM Date: Fri, 1 Dec 2000 15:51:51 -0500 Subject: [BUGTRAQ] @stake Advisory: Microsoft SQL Server extended stored procedure v ulnerability (A120100-1) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake Inc. www.atstake.com Security Advisory Advisory Name: Microsoft SQL Server extended stored procedure vulnerability Release Date: 12/01/2000 Application: MS SQL Server 7.0 - all service packs MS SQL Server 2000 Platform: Windows NT 4.0 / 2000 Severity: There are several buffer overflow conditions that could result in execution of arbitrary code or a denial of service. Author: David Litchfield [dlitchfield@atstake.com] Vendor Status: Vendor has patch, see below Web: www.atstake.com/research/advisories/2000/a120100-1.txt Overview: Microsoft's database server, known as SQL Server, contains several buffer overruns vulnerabilities that can be remotely exploited to execute arbitrary computer code on the affected system, thus allowing an attacker to gain complete control of the server. In situations where the SQL Server is protected by a firewall, it may still be possible to launch this attack through a connecting web server - though this depends on how secure the web server's application is. Details: To add further functionality to SQL server there are extended stored procedures that perform one task or another. When an overly long string parameter is provided to several of these procedures a buffer is overrun. Ironicly it appears that these overruns occur in part of the exception handling calls made by SQL server to protect itself. The procdures known to be vulnerable xp_displayparamstmt, xp_enumresultset, xp_showcolv and xp_updatecolvbm. Each of these stored procedures are exported by xprepl.dll and may be executed by PUBLIC, ostensibly everyone who can login to the database server, even low privileged logins. If the overruns are exploited the code runs in the context of the powerful SYSTEM account. Once the overflow occurs, the EAX register points to the user supplied data and to force the processor to execute code supplied in this buffer the saved return address would need to be overwritten by an address that contained a 'jmp eax' or 'call eax' instruction. Examining the DLLs loaded into the address space shows that the DLL with the vulnerability, xprepl.dll, does not change across SQL service packs, with SQL Server 7, at least. If such an instruction could be found in this DLLs address space then any proof of concept code would work across all SQL service packs. As it happens these instructions do not exist in this DLL. However, a 'call esi' instruction exists and on overrun the esi register points to 4 bytes above where the saved return address is overwritten. By overwriting the saved return address with the address that contains the 'call esi' instruction and by setting the bytes at esi to FF E0 (jmp eax), when the 'call esi' executes, the 'jmp eax' executes and the code has "stepped over" the DWORD that overwrote the saved return address. Proof of Concept: Source code available at: http://www.atstake.com/research/advisories/2000/sqladv-poc.c Vendor Response: Microsoft has released a bulletin describing this issue: http://www.microsoft.com/technet/security/bulletin/ms00-092.asp Microsoft has released a patch to fix this problem: http://support.microsoft.com/support/sql/xp_security.asp Recommendation: Disallow PUBLIC execute access to these extended stored procedures usless you need it. Install the vendor supplied patch. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. xp_displayparamstmt - CAN-2000-1081 xp_enumresultset - CAN-2000-1082 xp_showcolv - CAN-2000-1083 xp_updatecolvbm - CAN-2000-1084 Advisory Release policy: http://www.atstake.com/research/policy/ For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOigPU1ESXwDtLdMhEQLfJACfV63OW23pqRnUGAaP79CdgCyU254An13i H7i221TwYIS90iTyAPnLaaua =9nvr -----END PGP SIGNATURE-----