Title: Microsoft Visual Basic / Visual Studio 'VB T-SQL ' Buffer Overflow Vulnerability
Severity: HIGH
Description:
Visual Basic Enterprise Edition and Visual Studio Enterprise Edition both ship with a DCOM object called VB T-SQL Debugger (vbsdicli.exe). T-SQL Debugger enables a user to debug remotely stored procedures in Transact SQL language. T-SQL Debugger runs with the privileges of the locally logged in user.
A method within VB T-SQL Debugger object called 'NewSPID' is used to create a new stored procedure ID within the database.
An unchecked buffer within 'lpctstrDbName' which is a parameter of the 'NewSPID' method, could be exploited by submitting 128 characters or more in the 'DbName'. The end result is a potential buffer overflow condition, which may lead to the execution of arbitrary code.
Successfully exploitation of this vulnerability could lead to complete comprimise of the host.
Affected Products:
- Microsoft Visual Basic 6.0
- Microsoft Visual Studio 6.0
References:
- Microsoft: Microsoft Security Bulletin (MS01-018)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
