[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SQL Server 2000 Extended Stored Procedure Vulnerability

Title: SQL Server 2000 Extended Stored Procedure Vulnerability
Released by: @stake
Date: 1st December 2000
Printable version: Click here

Hash: SHA1

                              @stake, Inc.


                           Security Advisory

Advisory Name: SQL Server 2000 Extended Stored Procedure Vulnerability

 Release Date: scheduled for 12/01/2000

  Application: SQL Server 2000

     Platform: Windows 2000 Advanced Server (no service packs)

               SQL Server 2000 Enterprise Edition

     Severity: An attacker can execute arbitrary code on the server

       Author: Chris Anley (dec0de@atstake.com)

Vendor Status: vendor has patch, see below

          Web: www.atstake.com/research/advisories/2000/a120100-2.txt


This advisory details multiple vulnerabilities in Microsoft SQL Server

2000 that allow an attacker to run arbitrary code on the SQL server in the

context of a local administrator account.

SQL Server provides a mechanism by which a database query can result in a

call into a function called an "extended stored procedure". Several

extended stored procedures supplied with SQL Server 2000 are vulnerable to

buffer overflow attacks. Furthermore, in a default configuration these

extended stored procedures can be executed by any user.

Detailed Description:

Extended stored procedures can be called by any client component that can

issue a normal SQL Server query, such as Microsoft Access, or MSQuery. The

ISQL utility, which is supplied with SQL Server, can also be used to call

extended stored procedures. Web applications running on Internet

Information Server frequently use the ActiveX Data Objects (ADO) API to

connect to SQL Server databases.

The syntax for calling extended stored procedures is as follows:

exec  , , ...

For example, the following query will return a directory tree of the

"c:\winnt" directoy:

exec xp_dirtree 'c:\winnt'

By passing extremely long strings for various parameters, it is possible

to overrun the buffer space allocated for these parameters and execute

arbitrary code.

The following extended stored procedures are vulnerable:

xp_peekqueue (xpqueue.dll), and xp_printstatements (xprepl.dll)

An overly long string passed for the first parameter will cause an access

violation and overwrite the exception handler's saved return address.

xp_proxiedmetadata (xprepl.dll)

Takes four parameters. An overly long string for the second will cause an

access violation and overwrite the exception handler's saved return address.

xp_SetSQLSecurity (xpstar.dll)

Takes four parameters. An overly long string passed for the third parameter

will cause an exception that results in the immediate termination of the

entire SQL Server process.

Proof of Concept:

   Source code available at:


Vendor Response:

    Microsoft has released a bulletin describing this issue:


    Microsoft has released a patch to fix this problem:



Disallow PUBLIC execute access to these extended stored procedures usless

you need it.

Install the vendor supplied patch.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned

the following names to these issues.  These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.

   xp_peekqueue - CAN-2000-1085

   xp_printstatements - CAN-2000-1086

   xp_proxiedmetadata - CAN-2000-1087

   xp_SetSQLSecurity - CAN-2000-1088

Advisory Release policy: http://www.atstake.com/research/policy/

For more advisories: http://www.atstake.com/research/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved


Version: PGP 7.0





(C) 1999-2000 All rights reserved.