Security Advisory

Name : Another Sql Server 7 Buffer Overflow
System Affected : Sql Server 7 all service packs and
fixes, ver. 7.00.1021
Severity : High.
Remote Exploit: Yes
Author: Cesar Cerrudo.
Date: 03/05/2002
Advisory Number: CC030202

Description :

The extended store procedure xp_dirtree allows to ALL
users to retrieve the subdirectory structure of a
given drive o folder.

Details :

The buffer overflow ocurr when an overly long string
is supplied :

xp_dirtree 'XXXXXX...'----> many, many X's

I did some tests and it seems that in that way is hard
or imposible to exploit. But if you pass the parameter
as unicode :

xp_dirtree N'XXXXXX...'----> many, many X's

then you can crash the server and exploit the buffer
overflow. Unicode buffer overflows are a bit harder to
exploit but not imposible.

Patch Available:
NONE

Workaround:
Drop the extended store procedure and its DLL.

Vendor Status :
Microsoft was not contacted.

--------------->More comming soon...<-----------------

Important Note to security researchers:
 I'm doing some research in Sql Server security and i
have found many, many interesting things (vulns,
overflows, etc.), but i don't have the proper
equipment nor systems and pc's to do extensive test.
So people who are interested in doing research in Sql
Server and have the knowledge and resources feel free
to contact me.

Cesar Cerrudo.
cesarc56yahoo.com

__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]