Microsoft SQL XP srv_paraminfo() buffer overflow

mssql-xp-paraminfo-bo (5622) The risk level is classified as MediumMedium Risk

Description:

Several versions of Microsoft SQL Server and Microsoft SQL Server Desktop Engine (MSDE) are vulnerable to a buffer overflow in the srv_paraminfo() variable used by Extended Stored Procedures (XPs). Extended Stored Procedures are DLL files that a SQL Server administrator installs to enhance SQL Server functionality. The SQL Server API fails to properly allow XPs to determine the length of the srv_paraminfo buffer. By sending a long input parameter to an XP, a local attacker can overflow the srv_paraminfo buffer and cause the SQL Server to fail or possibly execute arbitrary code on the system. The code is executed with the privileges of the SQL Server service account.

The following Extended Stored Procedures will cause the srv_parainfo buffer to overflow:

  • xp_printstatements
  • xp_sqlinventory
  • xp_peekqueue
  • xp_proxiedmetadata
  • xp_SetSQLSecurity
  • xp_displayparamstmt
  • xp_enumresultset
  • xp_showcolv
  • xp_updatecolvbm

Platforms Affected:

  • Microsoft, Data Engine 1.0
  • Microsoft, SQL Server 2000
  • Microsoft, SQL Server 7.0
  • Microsoft, SQL Server
  • Microsoft, SQL Server Desktop Engine 2000

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS00-092. See References.

Consequences:

Gain Access

References:

  • @stake, Inc. Security Advisory A120100-1, Microsoft SQL Server Extended Stored Procedure Vulnerability at http://www.webproxy.com/research/advisories/2000/a120100-1.txt.
  • @stake, Inc. Security Advisory A120100-2, SQL Server 2000 Extended Stored Procedure Vulnerability at http://www.webproxy.com/research/advisories/2000/a120100-2.txt.
  • Microsoft Security Bulletin MS00-092, Patch Available for "Extended Stored Procedure Parameter Parsing" Vulnerability at http://www.microsoft.com/technet/security/bulletin/ms00-092.mspx.
  • BID-2030: Microsoft SQL Server / Data Engine xp_displayparamstmt Buffer Overflow Vulnerability
  • BID-2031: Microsoft SQL Server / Data Engine xp_enumresultset Buffer Overflow Vulnerability
  • BID-2038: Microsoft SQL Server / Data Engine xp_showcolv Buffer Overflow Vulnerability
  • BID-2039: Microsoft SQL Server / Data Engine xp_updatecolvbm Buffer Overflow Vulnerability
  • BID-2040: Microsoft SQL Server / Data Engine xp_peekqueue Buffer Overflow Vulnerability
  • BID-2041: Microsoft SQL Server / Data Engine xp_printstatements Buffer Overflow Vulnerability
  • BID-2042: Microsoft SQL Server / Data Engine xp_proxiedmetadata Buffer Overflow Vulnerability
  • BID-2043: Microsoft SQL Server / Data Engine xp_SetSQLSecurity Buffer Overflow Vulnerability
  • CVE-2000-1081: The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.
  • CVE-2000-1082: The xp_enumresultset function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.
  • CVE-2000-1083: The xp_showcolv function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.
  • CVE-2000-1084: The xp_updatecolvbm function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.
  • CVE-2000-1085: The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.
  • CVE-2000-1086: The xp_printstatements function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.
  • CVE-2000-1087: The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.
  • CVE-2000-1088: The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the Extended Stored Procedure Parameter Parsing vulnerability.

Reported:

Dec 01, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page