NGSSoftware Insight Security Research Advisory Name: OpenRowSet Buffer Overflows Systems: Microsoft SQL Server 2000 and 7, all Service Packs Severity: High Risk Category: Remote Buffer Overrun Vulnerability Vendor URL: http://www.microsoft.com/ Author: David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/mssql-ors.txt Date: 2nd July 2002 Advisory number: #NISR02072002 VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt This advisory covers the solution to one of the problems mentioned in the above VNA URL. Description *********** Microsoft's database servers SQL Server 2000 and 7 have a remotely exploitable buffer overrun vulnerability in the OpenRowSet function. OpenRowSet allows users to run ad hoc queries on the server. Details ******* By passing overly parameters to certain Providers using the OpenRowSet functions an attacker can overwrite program control data, such as saved return addresses on the stack. This allows an attacker to gain control over the SQL Server process and run arbitrary code. Any code provided by an attacker will execute in the secuirty context of the account used to run SQL Server. Often this is the powerful local SYSTEM account and in this case an attacker can not only compromise all SQL Server data but completely control the operating system too. Where SQL Server is running in the context of a domain user they will only gain access to the server's data. Neither of these two situations are desirable and as such SQL Server administrators should patch this as soon as they can. Fix Information *************** NGSSoftware alerted Microsoft to this problem on the 15th of May 2002 and they have since released a patch to resolve this problem. Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-040.asp for more details. Further one can prevent users from running adhoc queries by setting DisallowAdhocAccess to 1 for each provider under the following registry key HKLM\Software\Microsoft\MSSQLServer\Providers\. If the value does not exist already then it can be created as a new DWORD value. A check for this vulnerability has been added to Typhon II, NGSSoftware's vulnerability assessment scanner, of which, more information is available from the NGSSite, http://www.ngssoftware.com/ Further Information ******************** For more information regarding SQL Injection please read http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf http://www.ngssoftware.com/papers/advanced_sql_injection.pdf and for more information about buffer overflows please read http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
