Databases Reference
In-Depth Information
Using these to run SQL is normally limited to privileged users. Unfortu-
nately, these three extended stored procedures contain vulnerabilities that
allow this even for a low-privileged user. You can get a patch from Microsoft
for these vulnerabilities at www.microsoft.com/technet/security/bulletin/
MS02-043.mspx. Interestingly enough, I did a search on Google for these
strings, and apart from the many vulnerability notices, I didn't find a single
link for someone describing actual usage—so hopefully there aren't too
many of you out there using these undocumented features.
Another patch you should apply for extended stored procedure involves
a buffer overflow vulnerability. From the amount of bad press they have
received, you would think that extended stored procedures have more
buffer overflow vulnerabilities than other built-in procedures and functions.
This is a result of a few vulnerabilities that are “reused” by many of these
procedures.
is a common function used to parse input parameters
for extended procedures. The signature for this method is:
srv_paraminfo()
int srv_paraminfo (
SRV_PROC * srvproc,
int n,
BYTE * pbType,
ULONG * pcbMaxLen,
ULONG * pcbActualLen,
BYTE * pbData,
BOOL * pfNull );
This function has a flaw that could result in a buffer overflow condition.
The function is designed to locate the nth parameter in a string and put it
into a buffer provided by the extended procedure. By design, the function
does not provide a way for an extended procedure to indicate the length of
the buffer; instead, the extended procedure is expected to ensure that the
buffer will be large enough to hold the parameter. However, not all extended
procedures provided by default in SQL Server perform this checking. A mali-
cious user who provides a sufficiently long parameter to an affected extended
procedure could cause a buffer overflow within the function in order to
either cause the SQL Server to fail or to execute arbitrary code.
The following extended procedures are all affected by the
vulnerability:
srv_paraminfo
xp_controlqueueservice
Search WWH ::
Custom Search