Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1426
HistoryMar 28, 2001 - 12:00 a.m.

Remote buffer overflow in DCOM VB T-SQL debugger

2001-03-2800:00:00
vulners.com
15
JSON

BindView Security Advisory

Remote buffer overflow in DCOM VB T-SQL debugger
Issue Date: March 27, 2001
Contact: [email protected]

Topic:
Remote buffer overflow in DCOM VB T-SQL debugger

Overview:
Microsoft Developer Studio version 6 installs a world-launchable DCOM
object, known as the VB T-SQL Debugger, which contains an exploitable
buffer overflow.

Affected Systems:
Windows NT and Windows 2000 systems with Microsoft Developer Studio 6

Impact:
Remote attackers without credentials can run arbitrary code on the
target with the credentials of the user currently logged in at the
target.

Details:

Microsoft Developer Studio installs a variety of DCOM components. One
in particular is the "VB T-SQL Debugger Object". It is installed to
run as "Interactive User", which means that when it is launched, it
runs with the credentials of the currently logged on user. It also
allows Everyone to start and access it remotely.

The purpose of this DCOM object is not documented, nor are any of the
methods that it supports. However, by examining the type library that
it includes, the methods and their parameters can be examined. One of
the methods the VB T-SQL debugger provides is the NewSPID method,
which looks like this:

HRESULT NewSPID([in] long spid,
[in] long pid,
[in] BSTR lpctstrDbName,
[in] short cbName,
[out, retval] short* nReturn);

The purpose of this call is apparently to create a new stored
procedure id in the given database, but that's just conjecture.
Anyway, this method contains a classic buffer overflow, due to an
unchecked call to sprintf using the passed in lpctstrDbName. Passing
in a dbname over approximately 128 characters in length will overwrite
the stack frame. From that point, it's relatively easy to return to
an address that will call into the exploit code on the stack. Just
find a "call esp" somewhere in the address space, and return there.

Workarounds:

Remove the Everyone:Launch and Everyone:Access permissions from the VB
T-SQL Appid key under HKCR\Appid. Restrict the permissions to SYSTEM
and Admins only.

Recommendations:

Determine whether the VB T-SQL Debugger Object is installed on your
systems. To do this, run dcomcnfg and look for it in the list of
applications. Alternatively, look for the registry key
HKCR\Appid\{124765aa-7866-11cf-bf3b-00a0d10003fa}. If it exists
either remove it, or restrict the launch and access permissions
specified there.

Install the hotfix from Microsoft.

References:

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-018.asp

Microsoft's Hotfix:
http://msdn.microsoft.com/vstudio/downloads/debugging/default.asp

Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=281297
(may take a couple days to appear)

CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2001-0153 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

Related

cve 1
cert 1
cve
cve
CVE-2001-0153
2001-05-03 04:00:00
cert
cert
Microsoft Visual Studio VB-TSQL debugger object vbsdicli.exe contains buffer overflow via NewSPID method
2001-05-03 00:00:00
JSON
Related for SECURITYVULNS:DOC:1426
cve1cert1