OVAL121 for CAN-2002-0154 (SQL Server 2000)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OVAL121 for CAN-2002-0154 (SQL Server 2000)

Yi-Fang Koh
Microsoft Security Bulletin MS02-020:
SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507)


OVAL-id: OVAL121
CVE-id:  CAN-2002-0154
Description:
Buffer overflows in extended stored procedures for Microsoft SQL Server
7.0 and 2000 allow remote attackers to cause a denial of service or
execute arbitrary code via a database query with certain long arguments.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=can-2002-0154

This is a buffer overrun vulnerability. Several SQL Extended Procedures
provided by SQL Server 2000 fail to validate user input and could cause
buffer overrun in the affected procedures. There are several ways an
attacker could use to exploit this vulnerability. Attackers could
execute a query to call one of the affected functions. If the front-end
was configured to access and process arbitrary queries, the attacker
could provide carefully selected parameters as input that would cause
the query to call one of the affected functions. As the result, the
attack could cause the SQL Server service to fail, or gain control over
the database.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp

The patch 8.00.0608_SQL2K_sp2_x86_enu.exe includes 11 files. After the
patch is installed the file version of these files are:
* xpstar.dll file version = 2000.80.608.0
* sqlservr.exe file version = 2000.80.608.0
* Odsole70.dll file version = 2000.80.606.0
* xplog70.dll file version = 2000.80.606.0
* xpqueue.dll file version = 2000.80.606.0
* xprepl.dll file version = 2000.80.606.0
* xpweb70.dll file version = 2000.80.606.0
* sqlservr.pdb, Qfe356326.sql, uninstall.sql, Qfe356938.sql: No version
number
This patch is superseded by several later released cumulative patches.
If the sqlserver.exe file version < 2000.80.608.0, it means none of
these patches were installed.
 The fix is also included in the SQL Server Service Pack 3. After the
SP3 installed, the sqlservr.exe file version = 2000.80.760.0. If the
sqlserver.exe file version < 2000.80.608.0, it means the SP3 was not
installed
Check the sqlserver.exe file version3 < 608 is sufficient to demonstrate
the vulnerability exists in the system.

Query Synopsis:

--Vulnerable software exists

* SQL Server 2000 (All editions) installed
* Patch 8.00.0608_SQL2K_sp2_x86_enu.exe (or later released cumulative
patches) not installed
* SQL Server Service Pack SP3 (or later)  not installed

Query


SELECT 'CAN-2002-0154' FROM Placeholder WHERE
EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Check SQL Server 2000 (all editions) installed

 (SELECT 'SQL Server 2000 installed' FROM Win2K_RegistryKeys
 WHERE
RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersion'
AND
 EntryName = 'CurrentVersion' AND
 EntryValue = '8.00.194')


AND EXISTS

-- If the file version of sqlservr.exe < 2000.80.608.0, it means none of
these patches (patch
-- 8.00.0608_SQL2K_sp2_enu.exe, later released cumulative patches) and
SP3 were installed
-- Check sqlservr.exe file version3 < 608 exist

 (SELECT 'File sqlservr.exe version3 < 608' FROM Win2K_FileAttributes
 WHERE
 FilePath= (SELECT EntryValue || 'sqlservr.exe' FROM Win2K_RegistryKeys
WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
  EntryName = 'Path') AND
 (Version1 = 2000 AND Version2 = 80 AND Version3  < 608 ))


AND EXISTS

-- Check odsole70.dll file Version3 < 606 exist

(SELECT 'File odsole70.dll Version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'odsole70.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS
-- Check xpqueue.dll file version3 < 606

(SELECT 'File xpqueue.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xpqueue.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)
AND EXISTS

-- Check xprepl.dll file version3 < 606 exist

(SELECT 'File xprepl.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xprepl.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS

-- Check xplog70.dll file version3 < 606 exist

(SELECT 'File xplog70.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xplog70.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS

-- Check xpweb70.dll file version3 < 606 exist

(SELECT 'File xpweb70.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xpweb70.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS

-- Check xpstar.dll file version3 < 608 exist

(SELECT 'File xpstar.dll version3 < 608' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xpstar.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 608)
)


-- ### END VULNERABLE SOFTWARE EXISTS
-- ### BEGIN VULNERABLE CONFIGURATION
-- ### END VULNERABLE CONFIGURATION
;

-- Insert statements
-- ============================================================
-- Registry Keys

INSERT89
-- SQL Server
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersion')

;

--==================================================================
-- File Attributes

INSERT129
-- odsole70.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\odsole70.dll')
;

INSERT157
-- xpqueue.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xpqueue.dll')
;

INSERT174
-- xprepl.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xprepl.dll')
;

INSERT98
-- xplog70.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xplog70.dll')
;

INSERT164
-- xpwb70.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xpweb70.dll')
;

INSERT202
-- xpstar.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xpstar.dll')
;


INSERT256
-- sqlservr.exe
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\sqlservr.exe')
;

-- ==============================================================