||Home : Advisories : SQL Server 2000 Extended Stored Procedure Vulnerability|
||SQL Server 2000 Extended Stored Procedure Vulnerability
||1st December 2000
-----BEGIN PGP SIGNED MESSAGE-----
Advisory Name: SQL Server 2000 Extended Stored Procedure Vulnerability
Release Date: scheduled for 12/01/2000
Application: SQL Server 2000
Platform: Windows 2000 Advanced Server (no service packs)
SQL Server 2000 Enterprise Edition
Severity: An attacker can execute arbitrary code on the server
Author: Chris Anley (firstname.lastname@example.org)
Vendor Status: vendor has patch, see below
This advisory details multiple vulnerabilities in Microsoft SQL Server
2000 that allow an attacker to run arbitrary code on the SQL server in the
context of a local administrator account.
SQL Server provides a mechanism by which a database query can result in a
call into a function called an "extended stored procedure". Several
extended stored procedures supplied with SQL Server 2000 are vulnerable to
buffer overflow attacks. Furthermore, in a default configuration these
extended stored procedures can be executed by any user.
Extended stored procedures can be called by any client component that can
issue a normal SQL Server query, such as Microsoft Access, or MSQuery. The
ISQL utility, which is supplied with SQL Server, can also be used to call
extended stored procedures. Web applications running on Internet
Information Server frequently use the ActiveX Data Objects (ADO) API to
connect to SQL Server databases.
The syntax for calling extended stored procedures is as follows:
exec , , ...
For example, the following query will return a directory tree of the
exec xp_dirtree 'c:\winnt'
By passing extremely long strings for various parameters, it is possible
to overrun the buffer space allocated for these parameters and execute
The following extended stored procedures are vulnerable:
xp_peekqueue (xpqueue.dll), and xp_printstatements (xprepl.dll)
An overly long string passed for the first parameter will cause an access
violation and overwrite the exception handler's saved return address.
Takes four parameters. An overly long string for the second will cause an
access violation and overwrite the exception handler's saved return address.
Takes four parameters. An overly long string passed for the third parameter
will cause an exception that results in the immediate termination of the
entire SQL Server process.
Proof of Concept:
Source code available at:
Microsoft has released a bulletin describing this issue:
Microsoft has released a patch to fix this problem:
Disallow PUBLIC execute access to these extended stored procedures usless
you need it.
Install the vendor supplied patch.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
xp_peekqueue - CAN-2000-1085
xp_printstatements - CAN-2000-1086
xp_proxiedmetadata - CAN-2000-1087
xp_SetSQLSecurity - CAN-2000-1088
Advisory Release policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
-----END PGP SIGNATURE-----