Reported December 1, 2000 by @Stake

VERSIONS AFFECTED
  • SQL Server 2000

DESCRIPTION

Multiple vulnerabilities have been discovered in Microsoft SQL Server 2000. The vulnerabilities let an attacker run arbitrary code on the SQL Server system in the context of a local administrator. Several extended stored procedures exist within SQL Server 2000 that are vulnerable to buffer overflow attacks.

DEMONSTRATION

The following extended stored procedures are found to be vulnerable, xp_peekqueue (xpqueue.dll), and xp_printstatements (xprepl.dll).

The following query will return a directory tree of C:\WinNT;

exec xp_dirtree C:\winnt

If a malicious user was to pass extremely long strings in place of various parameters the buffer overflow will occure.

VENDOR RESPONSE

Microsoft has issued a security bulletin, MS00-092 and is available at;

http://support.microsoft.com/support/sql/xp_security.asp

CREDIT
Discovered by
@Stake