BULK INSERT Buffer Overflow

July 11th, 2002

NGSSoftware Insight Security Research Advisory

Name: BULK INSERT Buffer Overflow

Systems Affected:  Microsoft SQL Server 2000

Severity: Medium

Category: Buffer Overrun

Vendor URL:   http://www.microsoft.com/

Authors:  Mark Litchfield (mark@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/ms-sqlbi.txt

Date:   11th July 2002

Advisory number: #NISR11072002

VNA Reference:  http://www.nextgenss.com/vna/ms-sql.txt

[Please note that this advisory relates to one of the issues discussed in

the SQL Server VNA. There are still more to be fixed.]

Description

***********

Microsoft’s SQL Server 2000 contains functionality that allows a database

owner to populate a table with data with one fell swoop using the ‘BULK

INSERT’ query. This functionality contains a remotely exploitable buffer

overrun vulnerability that can be exploited by an attacker to run arbitrary

code.

Details

*******

The ‘BULK INSERT’ query will take a user supplied file name and insert the

contents of this file into a specified table. By supplying an overly long

filename to the query, a buffer is overflowed and the saved return address

stored on the stack is overwritten. This allows the attacker to gain control

over the process’

execution. SQL Server 2000 can be run in the security context of a domain

account or LOCAL SYSTEM, so depending upon the particular setup, an attacker

may be able to gain complete control over the vulnerable system.

To be able to use the ‘BULK INSERT’ query one must have the privileges of

the database owner or dbo. Note this does not necessarily imply ’sa’

equivalence.

Another point to note is that whilst this overflow is ‘UNICODE’ in nature by

supplying code as a UNICODE string exploitation is made easier.

Fix Information

***************

NGSSoftware alerted Microsoft to this problem on the 28th May 2002.

Microsoft have created a patch.

Please see their bulletin for more details:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/

bulletin/MS02-034.asp

Whilst NGSSoftware rate this as a medium risk issue, we still urge customers

to apply the patch as soon as is possible as it contains fixes for other

issues such as a buffer overflow in the pwdencrypt() function.

Further Information

*******************

For further information about the scope and effects of buffer overflows,

please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

Section Navigation


SC Awards 2008


SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

ITA 2008


2008 International Trade Awards

NGSSoftware named as South-East England regional winners at the 2008 International Trade Awards.

SLBA 2008


South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Latest Vacancies

Experienced CLAS consultant

NGSSoftware are seeking an experienced CLAS consultant capable of writing Security Targets and Evaluation Work Plans for CTAS.

Please send us your CV or resume.

NGS Offices

NGS have offices located in London & St Andrews (UK) and Sydney (Australia).

NGS Consulting

Why do companies around the world – and around the corner – turn to NGS?

Discover what we could do for your business »

NGS Security Training

Find out why we have provided training to some of the world's most security conscious organisations.

Learn from the best!

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

Customer Testimonials

Read what some of our satisfied customers are saying about us.

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


CHECK