SPAM Another Sql Server 7 Buffer Overflow

From: c c (cesarc56at_private)
Date: Tue Mar 05 2002 - 08:20:04 PST

Next message: David Litchfield: "Considerations for IIS Authentication (#NISR05032002C)"

Previous message: rudi carell: "Endymion SakeMail and MailMan File Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM: 
SPAM: Content analysis details:   (5.34 hits, 5 required)
SPAM: Hit! (1.94 points) From: ends in numbers
SPAM: Hit! (1.5 points)  Listed in Razor, see http://razor.sourceforge.net/
SPAM: Hit! (1.9 points)  Forged yahoo.com 'Received:' header found
SPAM: 
SPAM: -------------------- End of SpamAssassin results ---------------------

Security Advisory

Name : Another Sql Server 7 Buffer Overflow
System Affected : Sql Server 7 all service packs and
fixes, ver. 7.00.1021
Severity : High.
Remote Exploit: Yes
Author:  Cesar Cerrudo.
Date:    03/05/2002 
Advisory Number:  CC030202


Description :

The extended store procedure xp_dirtree allows to ALL
users to retrieve the subdirectory structure of a
given drive o folder. 

Details :

The buffer overflow ocurr when an overly long string
is supplied :

xp_dirtree 'XXXXXX...'----> many, many X's

I did some tests and it seems that in that way is hard
or imposible to exploit. But if you pass the parameter
as unicode :

xp_dirtree N'XXXXXX...'----> many, many X's

then you can crash the server and exploit the buffer
overflow. Unicode buffer overflows are a bit harder to
exploit but not imposible.


Patch Available: 
NONE

Workaround: 
Drop the extended store procedure and its DLL.

Vendor Status :
Microsoft was not contacted.

--------------->More comming soon...<-----------------

Important Note to security researchers:
 I'm doing some research in Sql Server security and i
have found many, many interesting things (vulns,
overflows, etc.), but i don't have the proper
equipment nor systems and pc's to do extensive test.
So people who are interested in doing research in Sql
Server and have the knowledge and resources feel free
to contact me.

Cesar Cerrudo.
cesarc56at_private


__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

Next message: David Litchfield: "Considerations for IIS Authentication (#NISR05032002C)"
Previous message: rudi carell: "Endymion SakeMail and MailMan File Disclosure Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 13:35:28 PST

*****SPAM***** Another Sql Server 7 Buffer Overflow

SPAM Another Sql Server 7 Buffer Overflow