Security Advisory Name : Another Sql Server 7 Buffer Overflow System Affected : Sql Server 7 all service packs and fixes, ver. 7.00.1021 Severity : High. Remote Exploit: Yes Author: Cesar Cerrudo. Date: 03/05/2002 Advisory Number: CC030202 Description : The extended store procedure xp_dirtree allows to ALL users to retrieve the subdirectory structure of a given drive o folder. Details : The buffer overflow ocurr when an overly long string is supplied : xp_dirtree 'XXXXXX...'----> many, many X's I did some tests and it seems that in that way is hard or imposible to exploit. But if you pass the parameter as unicode : xp_dirtree N'XXXXXX...'----> many, many X's then you can crash the server and exploit the buffer overflow. Unicode buffer overflows are a bit harder to exploit but not imposible. Patch Available: NONE Workaround: Drop the extended store procedure and its DLL. Vendor Status : Microsoft was not contacted. --------------->More comming soon...<----------------- Important Note to security researchers: I'm doing some research in Sql Server security and i have found many, many interesting things (vulns, overflows, etc.), but i don't have the proper equipment nor systems and pc's to do extensive test. So people who are interested in doing research in Sql Server and have the knowledge and resources feel free to contact me. Cesar Cerrudo. cesarc56@yahoo.com __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/
