CVE-2002-0186
CVSS7.5
发布时间 :2002-07-03 00:00:00
修订时间 :2016-10-17 22:16:54
NMCOE    

[原文]Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension."


[CNNVD]Microsoft SQLXML ISAPI远程缓冲区溢出漏洞(MS02-030)(CNNVD-200207-017)

        
        SQLXML ISAPI可以使IIS服务器能够从SQL服务器接受或向其输出XML数据,从而以XML的格式返回查询请求。
        SQLXML ISAPI实现上存在缓冲区溢出漏洞,远程攻击者可能通过溢出攻击在主机上以SYSTEM权限执行任意指令。
        当使用SQLXML的"sql="语法进行SQL查询的时候,用户可以指定某些参数来影响返回的XML输出,其中的一个参数为content-type。如果提交一个超长的content-type值给IIS,服务器程序可能会崩溃,精心构造成提交的数据可能导致远程攻击者在主机上以SYSTEM进程的权限在主机上执行任意指令。A normal request looks like (in this case, a direct sql= query)。一个正常的请求是可能如下这个样子:
        IIS-server/demos?sql=select+*+from+Customers+as+Customer+FOR+XML+auto&root=root&xsl=custtable.xsl&contenttype=text/html
        如果content-type的值大于240个字符则可能使inetinfo.exe崩溃。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:sql_server:2000Microsoft SQL Server 2000
cpe:/a:microsoft:sql_server:2000:sp2Microsoft SQLServer 2000 Service Pack 2
cpe:/a:microsoft:sql_server:2000:sp1Microsoft SQLServer 2000 Service Pack 1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:489Unchecked Buffer in SQLXML ISAPI Extension for Microsoft Data Access Components 2.7
oval:org.mitre.oval:def:484Unchecked Buffer in SQLXML ISAPI Extension for Microsoft Data Access Components 2.6
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0186
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0186
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-017
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0100.html
(VENDOR_ADVISORY)  VULNWATCH  20020613 [VulnWatch] wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
http://marc.info/?l=bugtraq&m=102397345410856&w=2
(UNKNOWN)  BUGTRAQ  20020613 wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
http://www.iss.net/security_center/static/9328.php
(UNKNOWN)  XF  mssql-sqlxml-isapi-bo(9328)
http://www.kb.cert.org/vuls/id/811371
(UNKNOWN)  CERT-VN  VU#811371
http://www.microsoft.com/technet/security/bulletin/ms02-030.asp
(VENDOR_ADVISORY)  MS  MS02-030
http://www.securityfocus.com/bid/5004
(UNKNOWN)  BID  5004

- 漏洞信息

Microsoft SQLXML ISAPI远程缓冲区溢出漏洞(MS02-030)
高危 边界条件错误
2002-07-03 00:00:00 2006-09-01 00:00:00
远程  
        
        SQLXML ISAPI可以使IIS服务器能够从SQL服务器接受或向其输出XML数据,从而以XML的格式返回查询请求。
        SQLXML ISAPI实现上存在缓冲区溢出漏洞,远程攻击者可能通过溢出攻击在主机上以SYSTEM权限执行任意指令。
        当使用SQLXML的"sql="语法进行SQL查询的时候,用户可以指定某些参数来影响返回的XML输出,其中的一个参数为content-type。如果提交一个超长的content-type值给IIS,服务器程序可能会崩溃,精心构造成提交的数据可能导致远程攻击者在主机上以SYSTEM进程的权限在主机上执行任意指令。A normal request looks like (in this case, a direct sql= query)。一个正常的请求是可能如下这个样子:
        IIS-server/demos?sql=select+*+from+Customers+as+Customer+FOR+XML+auto&root=root&xsl=custtable.xsl&contenttype=text/html
        如果content-type的值大于240个字符则可能使inetinfo.exe崩溃。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS02-030)以及相应补丁:
        MS02-030:Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS02-030.asp

        补丁下载:
         * Microsoft SQLXML version shipping with SQL 2000 Gold:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39547

         * Microsoft SQLXML version 2:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38480

         * Microsoft SQLXML version 3:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38481

- 漏洞信息 (21540)

Microsoft SQL Server 2000 SQLXML Buffer Overflow Vulnerability (EDBID:21540)
windows dos
2002-06-12 Verified
0 Matt Moore
N/A [点击下载]
source: http://www.securityfocus.com/bid/5004/info

SQLXML is a component of SQL Server 2000, which enables SQL servers to receive and send database queries via XML (Extensible Markup Language) format. Such queries can be sent using various methods of communication, one of which is via HTTP. SQLXML HTTP components reside in a virtual directory on a web server and are not enabled by default, SQLXML ISAPI extensions run with LocalSystem privileges.

A buffer overflow issue has been discovered in the SQLXML ISAPI extension that handles data queries over HTTP(SQLXML HTTP).

It is possible for a user to initiate the overflow by connecting to a host and submitting malformed data.

This issue has been reported to exist in SQL Server 2000 Gold, other versions may be vulnerable as well. 

IIS-Server/Nwind/Template/catalog.xml?contenttype=text/AAAA...AAA

This uses a 'template' file instead of a direct query to cause inetinfo.exe to crash. 		

- 漏洞信息

5347
Microsoft SQL Server SQLXML ISAPI Extension Remote Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in Microsoft SQLXML. The SQLXML ISAPI extension of Microsoft SQL Server 2000 fails to check boundaries of data queries resulting in a buffer overflow. With a specially crafted request, a malicious user can execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2002-06-12 Unknow
2002-06-12 Unknow

- 解决方案

Microsoft has released patches to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站