|
Lumigent Log Explorer buffer overflow
Credit:
This vulnerability was researched and discovered by Martin Rakhmanoff(jimmers@yandex.ru).
June 17, 2002
To determine if your Microsoft SQL Server installations have this
vulnerability, download AppDetective for Microsoft SQL Server from:
http://www.appsecinc.com/products/appdetective/mssql/
Risk level: Low
Summary:
Log Explorer, brought to you by Lumigent Technologies, Inc.
(http://www.lumigent.com), is a third-party database tool that audits
database activity via the Microsoft SQL Server transaction log. Log Explorer
installs several extended stored procedures. Some of these extended stored
procedures do not allocate memory properly and contain buffer overflows.
Details:
Log Explorer is a tool provided by Lumigent that can be used to analysis the
transaction logs of Microsoft SQL Server. Log Explorer uses extended stored
procedures to perform some of its functionality. Three of these extended
stored procedures do not properly allocate and written to memory.
Maliciously crafted parameters could result in buffer overflows and possible
overwriting the stack pointer and executing arbitrary code.
The three extended stored procedures which are vulnerable to buffer
overflows in Log Explorer are xp_logattach_StartProf, xp_logattach_setport,
and xp_logattach. These procedures are implemented in the file
xp_logattach.dll and do not properly allocate enough memory when called with
a long string as one of the parameters. This causes the stack to be
overwritten and allows an attacker to inject code onto the stack to be
executed.
The following examples demonstrate these buffer overflows:
declare @test varchar(8000)
select @test = replicate('X', 800)
execute master.dbo.xp_logattach_StartProf @test
declare @test varchar(8000)
select @test = replicate('X', 800)
execute master.dbo. xp_logattach_setport @test
declare @test varchar(8000)
select @test = replicate('X', 800)
execute master.dbo. xp_logattach @test
By default, only the dbo user in the master database may execute these
extended stored procedures. It is recommended that you do not grant
permissions to execute these procedures to non-admin users. These
vulnerabilities can be used by the database administrator to gain full
control of the operating system.
Fix:
Contact the vendor for a patch or fixed version. Lumigent can be contacted
through their web site http://www.lumigent.com/Corporate/contact.htm or
through telephone at 866-586-4436 (Toll Free).
Until a patch is available, it is recommended that you do not grant
privileges to execute these functions to any non-admin users.
If these procedures are not needed, or if it is desirable to protect the
operating system from the database administrator, it is recommended you
remove these extended stored procedures. The following code will drop the
extended stored procedures:
drop procedure xp_logattach_StartProf
go
drop procedure xp_logattach_setport
go
drop procedure xp_logattach
go
|
