@stake, Inc. www.atstake.com Security Advisory Advisory Name: Multiple format string vulnerabilities in SQL Server Release Date: 12/20/2001 Application: SQL Server 7.0 and 2000 Platform: Windows NT 4.0, 2000, XP Severity: An authenticated user of the database can execute arbitrary code or cause a denial of service to the server Author: Chris Anley [chrisanley@hushmail.com] Chris Wysopal [cwysopal@atstake.com] Vendor Status: Vendor has bulletin and patch CVE Candidate: CAN-2001-0542 Reference: www.atstake.com/research/advisories/2001/a122001-1.txt Overview: This advisory describes multiple vulnerabilities in Microsoft SQL Server 7.0 and 2000 that allow an attacker to run arbitrary code on the SQL Server in the context of the account that SQL Server is running under (normally an administrator). A common attack scenario is to use web application vulnerabilities to send arbitrary queries to a backend SQL Server that is otherwise protected from direct attack via the internet. More information detailing this type of attack, known as SQL Command Injection, is available at: http://www.owasp.org/asac/input_validation/sql.shtml Description: SQL Server provides built-in functions for the formatting of error messages based on c - style format specifiers. These built-in functions are accessible to all users. Providing maliciously crafted input to these functions results in exploitable error conditions in the SQL Server process. The raiserror() function is accessible to all users, and permits the specification of an overly long length specifier. This results in an exploitable overflow. Additionally, format string specifiers can be used, enabling an attacker to overwrite an arbitrary address in memory. This can result in the execution of arbitrary code. The formatmessage() built in function is accessible to all users. By creating specifically crafted messages any user can subsequently cause malicious code contained in the message to be executed. The xp_sprintf extended stored procedure (which is accessible to the 'public' role by default) permits the specification of overly long length specifiers. This results in an exploitable overflow. Vendor Response: The vendor has issued a bulletin on this issue: http://www.microsoft.com/technet/security/bulletin/MS01-060.asp The vendor had made patches available: SQL Server: SQL Server 7.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=35066 SQL Server 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=35067 C Runtime: Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500 Windows 20000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33500 Windows XP: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=35023 Recommendations: Apply the vendor patches. Do not permit direct connections to SQL Server by untrusted users. This can be achieved by: Removing all unused connection 'protocols' using the SQL Server Network Utility Using network packet filtering devices Configuring Windows 2000 IP Security filters on the SQL Server to permit only trusted connections If the SQL Server is being connected to from an application server or web server farm, ensure that appropriate server side input validation is in place. Specifically, ensure that users cannot insert SQL commands into input data by specifying the ' character (among others). Countermeasures are detailed here: http://www.owasp.org/asac/input_validation/sql.shtml Essentially, the aim is to permit only input that is explicitly known to be 'good' and reject all other input. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. SQL Server vulnerability: CAN-2001-0542 For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2001 @stake, Inc. All rights reserved.