|
|
Microsoft SQL Server 2000 Bulk插入过程缓冲区溢出漏洞
发布时间:2003-02-12
更新时间:2003-02-12
严重程度:高
威胁程度:远程管理员权限
错误类型:输入验证错误
利用方式:服务器模式
BUGTRAQ ID:4847
CVE(CAN) ID:CAN-2002-0641
受影响系统Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 Desktop Engine
+Akiva WebBoard 6.1
+Microsoft Access 2000
+Microsoft Application Center 2000
+Microsoft Biz Talk Server 2002 Developer Edition
+Microsoft Biz Talk Server 2002 Enterprise Edition
+Microsoft BizTalk Server 2000 Developer Edition
+Microsoft BizTalk Server 2000 Enterprise Edition
+Microsoft BizTalk Server 2000 Standard Edition
+Microsoft Office 2000
+Microsoft Project Central Server
+Microsoft SharePoint Team Services
+Microsoft Visio 2000 Enterprise Edition
+Microsoft Visio Enterprise Network Tools
+Microsoft Visual FoxPro 6.0
+Microsoft Visual Studio 6.0
+Microsoft Visual Studio .NET Academic Edition
+Microsoft Visual Studio .NET Enterprise Architect Edition
+Microsoft Visual Studio .NET Enterprise Developer Edition
+Microsoft Visual Studio .NET Professional Edition
+SmartMax Software MailMax 5.0
+Veritas Software Backup Exec 9.0 详细描述
Microsoft SQL Server 2000的bulk插入过程一般被管理用来往数据库的表中插入数据或以定制的格式直接从数据文件中查看数据,由于在处理过程参数时的一个不检查边界的数据复制操作使此过程的实现上存在了缓冲区溢出漏洞,入侵者可能通过构造恶意的参数来利用此漏洞执行任意代码。
解决方案
Microsoft Patch Q316333
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&
相关信息
Cesar Cerrudo和David Litchfield
Microsoft Security Bulletin MS02-034
http://www.microsoft.com/technet/security/bulletin/MS02-034.asp
|
