List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020

From: Toni Lassila (toni.lassila@mc-europe.com)
Date: Thu Apr 18 2002 - 02:50:53 PDT

Next message: Frédéric Raynal: "Howto exploit a remote format bug automatically"

Previous message: Chris Ess: "Re: KPMG-2002013: Coldfusion Path Disclosure"
Next in thread: Bronek Kozicki: "Re: List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020"
Reply: Bronek Kozicki: "Re: List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This MS bulletin mentions several extended stored procedures are
vulnerable, does anyone have a list or an idea if any of these have by
default exec permissions for the group 'public'?

At least one confirmed case of buffer overflow:


> xp_enumgroups '<long string>'

[Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionCheckForData
(CheckforData()).
Server: Msg 11, Level 16, State 1, Line 0
General network error. Check your network documentation.

Connection Broken


And in the event log:

Error: 0, Severity: 19, State: 0
SqlDumpExceptionHandler: Process 53 generated fatal exception c0000005
EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process. 

Error: 0, Severity: 21, State: 0
SQL Server is aborting. Fatal exception 0 caught. 


SQL Server has to be manually restarted after the second time this crash
occurs. This is on SQL Server 2000 (8.00.194) with no SPs, running on
Windows 2000 Server SP2.

HOWEVER, xp_enumgroups requires sysadmin privileges:

"Execute permissions for xp_enumgroups default to members of the db_owner
fixed database role in the master database and members of the sysadmin
fixed server role, but can be granted to other users."

So unless you explicitly give this right to some user/login it won't be
an issue. The sysadmin can crash it anyways. My worry is, there are a
bunch of other extended stored procs listed in the master DB that might
have similar vulnerability but not restricted as to who can execute them.

If this is indeed is the case then the patch is a "must-install" if you
allow workstations to connect directly and login to your SQL Server.


> -----Original Message-----
> From: Microsoft
> [mailto:0_29486_DD755D68-884D-464F-9160-D7BC19343BFF_US@Newsle
> tters.Micr
> osoft.com]
> Sent: Thursday, April 18, 2002 4:38
> To: Toni Lassila
> Subject: Microsoft Security Bulletin MS02-020:SQL Extended Procedure
> Functions Contain Unchecked Buffers (Q319507)
> 
> Issue:
> ======
> SQL Server 7.0 and 2000 provide for extended stored procedures,
> which are external routines written in a programming language such
> as C. These procedures appear to users as normal stored procedures
> and are executed in the same way. SQL Server 7.0 and 2000 include
> a number of extended stored procedures which are used for various
> helper functions 

-- 
Toni Lassila        toni.lassila@mc-europe.com
Operations Engineer           +358 9 5655 1882

Next message: Frédéric Raynal: "Howto exploit a remote format bug automatically"
Previous message: Chris Ess: "Re: KPMG-2002013: Coldfusion Path Disclosure"
Next in thread: Bronek Kozicki: "Re: List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020"
Reply: Bronek Kozicki: "Re: List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 18:39:53 PDT