OpenRowSet Buffer Overflows

July 2nd, 2002

NGSSoftware Insight Security Research Advisory

Name: OpenRowSet Buffer Overflows

Systems: Microsoft SQL Server 2000 and 7, all Service Packs

Severity: High Risk

Category: Remote Buffer Overrun Vulnerability

Vendor URL: http://www.microsoft.com/

Author: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/mssql-ors.txt

Date: 2nd July 2002

Advisory number: #NISR02072002

VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt

This advisory covers the solution to one of the problems mentioned in the

above VNA URL.

Description

***********

Microsoft’s database servers SQL Server 2000 and 7 have a remotely

exploitable buffer overrun vulnerability in the OpenRowSet function.

OpenRowSet allows users to run ad hoc queries on the server.

Details

*******

By passing overly parameters to certain Providers using the OpenRowSet

functions an attacker can overwrite program control data, such as saved

return addresses on the stack. This allows an attacker to gain control over

the SQL Server process and run arbitrary code. Any code provided by an

attacker will execute in the secuirty context of the account used to run SQL

Server. Often this is the powerful local SYSTEM account and in this case an

attacker can not only compromise all SQL Server data but completely control

the operating system too. Where SQL Server is running in the context of a

domain user they will only gain access to the server’s data. Neither of

these two situations are desirable and as such SQL Server administrators

should patch this as soon as they can.

Fix Information

***************

NGSSoftware alerted Microsoft to this problem on the 15th of May 2002 and

they have since released a patch to resolve this problem. Please see

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/

bulletin/MS02-040.asp

for more details. Further one can prevent users from running adhoc queries

by setting DisallowAdhocAccess to 1 for each provider under the following

registry key HKLM\Software\Microsoft\MSSQLServer\Providers\. If the value

does not exist already then it can be created as a new DWORD value.

A check for this vulnerability has been added to Typhon II, NGSSoftware’s

vulnerability assessment scanner, of which, more information is available

from the NGSSite, http://www.ngssoftware.com/

Further Information

********************

For more information regarding SQL Injection please read

http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

and for more information about buffer overflows please read

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

Section Navigation


Red Nose Day 2009

Red Nose Day 2009

Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls