OVAL83 for CAN-2001-0542

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OVAL83 for CAN-2001-0542

Yi-Fang Koh
Microsoft Security Bulletin MS01-060
SQL Server Text Formatting Functions Contain Unchecked Buffers

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-060.asp

SQL Server 7.0 and 2000 provide several functions that allow database
queries to generate text messages. The functions create a text message
and store it in a variable or directly display the message.
The vulnerability caused by several flawed SQL Server functions that
contain unchecked buffers. Attackers could provide specially chose text
that overruns the buffer and overwrites memory within the SQL Server. A
buffer overrun could be used either to run code in the security context
of the SQL Server service or to cause the SQL Server service to fail.
Apply the Patch s80428i.exe or several later released cumulative patches
will fix the vulnerability.
After patch s80428i.exe was installed, the sqlservr.exe file version
became 2000.80.428.0. If the sqlservr.exe file version < 2000.80.428.0,
it means the patch s80428i.exe or later released cumulative patches are
not installed, the vulnerability exists in the system.

 Patch s80428i.exe includes two files: sqlservr.exe and sqlservr.pdb
* After patch s80428i.exe installed, the sqlservr.exe file version =
2000.80.428.0
* The sqlservr.pdb file is only used during a debugging session and
there is no binding between sqlservr.exe and sqlservr.pdb file. So the
sqlservr.pdb file was not checked in the query.

The fix is also included in the Service Pack 2, after Service Pack 2
installed, the sqlservr.exe file version = 2000.80.534.0. If the
sqlservr.exe file version < 2000.80.534.0, it means the also was not
installed. Because the query checks the existence of sqlservr.exe file
version3 < 428, it is sufficient to demonstrate none of these patches
and the Service Pack 2 have been installed.


Oval-id: OVAL83
CVE-id:CAN-2001-0542

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2001-0542


Description:
Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers
with access to SQL Server to execute arbitrary code through the
functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the
C runtime format string vulnerability reported in MS01-060 is identified
by CAN-2001-0879.


Query Synopsis:
-- Vulnerable software exists
* SQL Server 2000 (all editions) installed
* Patch s80428i.exe (or later released cumulative patches) not installed

* SQL Server 2000 SP2 (or later) not installed

Query:

SELECT 'CAN-2001-0542' FROM Placeholder WHERE
EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Check SQL Server 2000 (all editions) installed

 (SELECT 'SQL Server 2000 installed' FROM Win2K_RegistryKeys
 WHERE
RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersion'
AND
 EntryName = 'CurrentVersion' AND
 EntryValue = '8.00.194')


AND EXISTS

         -- Patch S80428i.exe (or later released cumulative patches) and
SP2 not installed
         -- the file version of sqlservr.exe < 2000.80.428.0
         -- Check sqlservr.exe file version3 < 428 exist

 (SELECT 'File sqlservr.exe version3 <428' FROM Win2K_FileAttributes
 WHERE
 FilePath= (SELECT EntryValue || 'sqlservr.exe' FROM Win2K_RegistryKeys
WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
  EntryName = 'Path') AND
 (Version1 = 2000 AND Version2 = 80 AND Version3  < 428 ))

-- ### END VULNERABLE SOFTWARE EXISTS
-- ### BEGIN VULNERABLE CONFIGURATION
-- ### END VULNERABLE CONFIGURATION

;

Insert statement

-- ============================================================
-- Registry Keys

INSERT89
-- SQL Server
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersion')

;

-- ==============================================================
-- File Attributes


INSERT256
-- sqlservr.exe
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\sqlservr.exe')
;

-- ==============================================================