J-Security Center

Title: Microsoft SQL Server / Data Engine xp_enumresultset Buffer Overflow Vulnerability

Severity: MODERATE

Description:

The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer.

XPs are DLL files that perform high level functions in SQL Server. When called, they invoke a function called Srv_paraminfo() to parse the input parameters.

A vulnerability lies in Srv_paraminfo() and the fact that it does not check the length of the parameter string that an XP passes to it. If an attacker can pass an overly long string to the XP xp_enumresultset, a buffer overflow can occur due to an unsafe memory copy. This can cause SQL Server to crash.

It may also be possible for attackers to execute arbitrary code on the host running SQL Server. The attacker would need to overwrite the return address of the calling function with the address of supplied shellcode in memory. This shellcode would be executed under the context of the account that the SQL Server service was configured to run under. The minimum privilege level that the account would have to possess are SYSTEM privileges.

This vulnerability is confined to those who can successfully log onto the SQL server.

Affected Products:

  • Affymetrix Microarray Suite Software 5.0.0
  • Affymetrix Microarray Suite Software 5.0.1
  • Akiva WebBoard 6.1.0
  • Altiris Deployment Server 5.0.1
  • Altiris Deployment Server 5.5.0
  • BindView bv-Admin for Microsoft Exchange
  • BindView bv-Admin for Windows 7.0.0
  • BindView bv-Admin for Windows Migration
  • BindView bv-Control for Internet Security 7.0.1
  • BindView bv-Control for Microsoft Exchange 7.0.0
  • BindView bv-Control for Microsoft SQL Server 7.0.0
  • BindView bv-Control for Microsoft SQL Server 7.0.1
  • BindView bv-Control for Windows 7.0.2
  • BindView bv-control for Active Directory 7.0.2
  • CARI-RUSCO Secure Perfect 3.0.0
  • CCH Equity Compliance Insider Reporting Module
  • CSIRO BioLink Software 1.5.0
  • Centennial UK Ltd Centennial Discovery 4.4.0
  • Collins Medical Plus 2000
  • Compaq Insight Manager 7.0.0
  • Compaq Insight Manager 7.0.0 SP1
  • Computer Associates Unicenter
  • Computer Associates Unicenter RC/Update 6.0.0
  • Computer Associates Unicenter RC/Update 6.1.0
  • DATA.TXT Corporation Time Matters 3.0.0
  • DATA.TXT Corporation Time Matters 4.0.0
  • Dell OpenManage IT Assistant 5.0.0
  • Dell OpenManage IT Assistant 6.0.0
  • Express Metrix Express Software Manager 5.0.0
  • Express Metrix Express Software Manager 6.0.0
  • Express Metrix Express Software Manager 6.0.1
  • Express Metrix Express Software Manager 6.0.2
  • Fluke Networks Optiview Network Inspector 5.0.0
  • Gerber Technology WebPDM 3.9.0
  • HP Openview Internet Services 4.0.0
  • HP Openview Internet Services 4.5.0
  • HP Openview Operations for Windows 6.0.0
  • HP Openview Operations for Windows 7.0.0
  • HP Openview Operations for Windows 7.1.0
  • HP Openview Reporter 2.0.2
  • HP Openview Reporter 3.0.0
  • ISI Infortel for Windows 4.0.0
  • ISI Infortel for Windows 5.1.0
  • ISI Infortel for Windows 5.2.0
  • ISI Infortel for Windows 5.4.0
  • Journyx Timesheet 2.0.0
  • Journyx Timesheet 4.5.0
  • Journyx Timesheet 4.5.0 m2
  • Journyx Timesheet 4.5.0 m3
  • Journyx Timesheet 4.6.0
  • Journyx Timesheet 5.0.0
  • MIP NonProfit Series Pro 4.3.0
  • MIP NonProfit Series Pro 4.4.0
  • MIP NonProfit Series Pro 4.5.0
  • McAfee ePolicy Orchestrator 1.0.0
  • McAfee ePolicy Orchestrator 1.1.0
  • McAfee ePolicy Orchestrator 2.0.0
  • McAfee ePolicy Orchestrator 2.5.0
  • McAfee ePolicy Orchestrator 2.5.0 SP1
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 SP1
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework SDK 1.0
  • Microsoft Application Center 2000
  • Microsoft Biztalk Server 2002 Partner Edition
  • Microsoft Data Engine (MSDE) 1.0
  • Microsoft Data Engine 2000
  • Microsoft FrontPage 2000 Server Extensions SR 1.0
  • Microsoft FrontPage 2000 Server Extensions SR 1.1
  • Microsoft FrontPage 2000 Server Extensions SR 1.2
  • Microsoft FrontPage 2000 Server Extensions SR 1.3
  • Microsoft Great Plains 5.0
  • Microsoft Great Plains 5.5
  • Microsoft Great Plains 5.5.1
  • Microsoft Great Plains 7.0
  • Microsoft Office 2000
  • Microsoft Office 2000 Chinese Version
  • Microsoft Office 2000 Japanese Version
  • Microsoft Office 2000 Korean Version
  • Microsoft Office 2000 SP1
  • Microsoft Office 2000 SP2
  • Microsoft Office 2000 SP2
  • Microsoft Office XP
  • Microsoft Office XP Developer Edition
  • Microsoft Office XP SP1
  • Microsoft Project Central Server
  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2000 SP1
  • Microsoft SQL Server 2000 SP2
  • Microsoft SQL Server 2000 SP3
  • Microsoft SQL Server 7.0
  • Microsoft SharePoint Portal Server 2001
  • Microsoft SharePoint Portal Server 2001 SP1
  • Microsoft SharePoint Team Services from Microsoft
  • Microsoft Visio 2000 Enterprise Edition
  • Microsoft Visio Enterprise Network Tools
  • Microsoft Visual FoxPro 6.0
  • Microsoft Visual FoxPro 7.0
  • Microsoft Visual FoxPro 7.0 SP1
  • Microsoft Visual Studio .NET Academic Edition
  • Microsoft Visual Studio .NET Enterprise Architect Edition
  • Microsoft Visual Studio .NET Enterprise Developer Edition
  • Microsoft Visual Studio .NET Professional Edition
  • Microsoft Visual Studio .NET Trial Edition
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows XP Embedded
  • Microsoft Windows XP Embedded SP1
  • NetSupport NetSupport TCO 4.5.0
  • NetSupport NetSupport TCO 4.5.1
  • Network Associates SupportMagic SQL 4.5.0
  • Okena StormWatch
  • PPM 2000 Incident Reporting and Investigation Management 5.1.0
  • Peachtree Software Timeslips 10.0.0
  • Peachtree Software Timeslips 11.0.0
  • Peachtree Software Timeslips 6.0.0
  • Peachtree Software Timeslips 7.0.0
  • Peachtree Software Timeslips 8.0.0
  • Peachtree Software Timeslips 9.0.0
  • Peachtree Software Timeslips 9.0.0
  • PowerQuest ControlCenter ST 2.0.0
  • QiNetix CommVault Galaxy 4.0.1
  • Research In Motion Blackberry Enterprise Server 2.0.0 .0.65
  • SalesLogix Corporation SalesLogix 2000.0.0
  • SmartMax Software MailMax 5.0.0
  • TeleStream FlipFactory 1.2.0
  • TeleStream FlipFactory 2.0.0
  • TeleStream FlipFactory 3.0.0
  • Trend Micro Control Manager 2.5.0
  • Trend Micro Damage Cleanup Server 1.0.0
  • VIGILANTe SecureScan NX 2.5.0
  • Veritas Software Backup Exec 9.0.0
  • Veritas Software Backup Exec for Windows Servers 9.0.0
  • Visionary Systems Firehouse Software 3.0.5
  • Visionary Systems Firehouse Software 5.0.0
  • Visionary Systems Firehouse Software 5.0.2 5
  • Visionary Systems Firehouse Software 5.4.0
  • Vital Processing Services LLC POS-partner 2000 4.1.11
  • Vital Processing Services LLC POS-partner 2000 5.0.13
  • Websense Reporter 6.3.1
  • Wonderware InTouch 7.11.0
  • Xerox CentreWare Web 1.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.