|
BULK INSERT buffer overflow
July 11, 2002
To determine if your Microsoft SQL Server installations have this
vulnerability, download AppDetective™ for Microsoft SQL Server from:
http://www.appsecinc.com/products/appdetective/mssql/
Risk Level: Low
Summary:
The built-in function BULK INSERT contains a buffer overflow that may allow an attacker to
overwrite the stack and execute arbitrary code under the security context of the database.
The first parameter of BULK INSERT does not properly handle a long string.
Details:
Microsoft SQL Server provides a built-in function called BULK INSERT which allows data to
be uploaded from a file directly to a table.
The function BULK INSERT does not properly allocate enough memory when called with a
long string as the file from which to load. This causes the stack to be overwritten and
allows an attacker to inject code onto the stack to be executed.
Below is an example of overflowing the stack.
Code examples:
-- overflow when a buffer greater than 514 characters is passed in the from clause
BULK INSERT [table name] FROM 'XXXX[514+]'
BULK INSERT can only be executed by database or object owners. As such this buffer overflow
only allows escalation of privileges from a database or object owner to full database administrator privileges.
Fix:
To fix this problem, you should install the hot fix from Microsoft.
For SQL Server 7.0, no patch is available. Running BULK INSERT on SQL Server 7.0
required administrative privileges, so the risk is mitigated.
For SQL Server 2000 install one of the following:
- Service Pack 3 (not yet released) or greater
- Install hot fix 8.00.0650 on top on Service Pack 2
The hot fix can be downloaded from http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&
Credit:
This vulnerability was researched and discovered by Cesar Cerrudo (cesarc56@yahoo.com).
Additional information:
http://www.microsoft.com/technet/security/bulletin/MS02-034.asp
|
