Article ID: 280380 - View products that this article applies to.
This article was previously published under Q280380
BUG #: 100932 (SQLBUG_70)
BUG #: 100936 (SQLBUG_70)
BUG #: 101013 (SQLBUG_70)
BUG #: 351188 (SHILOH_bugs)
BUG #: 351189 (SHILOH_bugs)
A flaw in several of the extended stored procedures shipped with SQL Server may allow a memory buffer allocated on the stack to be overwritten with arbitrary data, potentially allowing an attacker to run arbitrary code in the SQL Server process space. This arbitrary code might be used for purposes as simple as shutting down the server to spawning a different process that might be used to take control of the server.
The srv_paraminfo function is used to copy data passed by the caller into a memory buffer allocated by the extended stored procedure (callee). If the callee allocated this buffer on the stack, and if the data passed to the extended stored procedure is larger than this allocated space, the remaining data may be copied onto the stack, potentially overwriting the return address which executes when the function returns. By carefully constructing a buffer with the right information, arbitrary instructions can be placed into the server's memory and allowed to run.
SQL Server 2000To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
290211NOTE: The following hotfix was created prior to Microsoft SQL Server 2000 Service Pack 1.
(http://support.microsoft.com/kb/290211/EN-US/ )INF: How to Obtain the Latest SQL Server 2000 Service Pack
For SQL Server 2000, the English version of this fix should have the following file attributes or later:
Version File name ------------------------- 8.00.0223 Xprepl.dll 8.00.0223 Xpstar.dll 8.00.0223 Xpqueue.dll 8.00.0223 Odsole70.dll
SQL Server 7.0To resolve this problem, obtain the latest service pack for Microsoft SQL Server 7.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
301511NOTE: The following hotfix was created prior to Microsoft SQL Server 7.0 Service Pack 4.
(http://support.microsoft.com/kb/301511/EN-US/ )INF: How to Obtain the Latest SQL Server 7.0 Service Pack
The English version of this fix should have the following file attributes or later:
NOTE: Because of file dependencies, the most recent hotfix or feature that contains the preceding files may also contain additional files. To install the fix, perform the following steps:
Version File name ------------------------ 7.00.0918 Xprepl.dll 7.00.0918 Xpstar.dll 7.00.0918 Replres.dll
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
SQL Server 2000
This problem was first corrected in SQL Server 2000 Service Pack 1.
SQL Server 7.0
This problem was first corrected in SQL Server 7.0 Service Pack 4.
The list of affected extended stored procedures include:
The exploit takes advantage of using a buffer that is too small for the data being passed. To correctly ascertain the length of data being passed, you must first call srv_paraminfo with its sixth parameter, pbData, as NULL. The function then returns the actual length of the parameter data. An appropriately sized buffer can then be allocated, and a second call can be made to retrieve the data. The srv_paraminfo function does not allow you to specify a maximum length of data to copy into your buffer. For more information, refer to the srv_paraminfo topic in SQL Server Books Online.
Article ID: 280380 - Last Review: September 5, 2007 - Revision: 4.2