Insomnia Security Vulnerability Advisory: ISVA-080709.1
Name: Microsoft SQL Server - Corrupt Backup File Heap Overflow
Released: 09 July 2008
Vendor Link:
http://www.microsoft.com/sql/default.mspx
Affected Products:
MS SQL Server 2005, possibly previous versions
Original Advisory:
http://www.insomniasec.com/advisories/ISVA-080709.1.htm
Researcher:
Brett Moore, Insomnia Security
http://www.insomniasec.com
Description
Microsoft SQL Server contains a buffer overflow that can be reached
by causing the server to attempt a database restore from a corrupt
back file.
This can be triggered by a user with PUBLIC access through the
RESTORE TSQL statement, available through the console as well as
through a vulnerable SQL statement on a web server (sql injection)
By default the service runs under the NETWORK SERVICE account but
has the ability to impersonate through tokens, and therefore
can gain full LOCAL SYSTEM account access.
Details
The following TSQL statement can be called by any user with PUBLIC
access.
RESTORE FILELISTONLY FROM DISK = 'path to file'
By hosting a corrupt SQL database backup on a remote file share
it is possible to force the target server to open the file, parse
it, and corrupt the internal heap.
Obviously the target SQL server must have egress availability to
connect out through SMB or webdav functionality.
The SQL backup format consists of multiple chunks of data which
follow a basic structure of
struct backupChunk {
unsigned long nametag;
unsigned long size;
}
The nametag describes the type of tag (ex.SCIN, SFGI, MQCI, etc).
The size corresponds to the size of the complete chunk size which
includes the 8byte chunk header.
The parsing function goes through file using the backupChunk->size
field to point to the next valid chunk.
If the size field is larger than the current buffer, a check
prevents the application from overflowing.
After this size comparison, the size is adjusted to subtract the
size of the 8byte structure header.
If the structure size was a value between 0 and 7 then an Integer
Underflow/Overflow/Wraparound/Whatever will occur, and the
'negative' large value is passed directly into the StartRead
function.
StartRead, among other things, uses the size value in a call to
_memcpy, that will read the available data from the file
overflowing the buffer and overwriting heap memory.
The result of exploitation is that heap memory is overflowed.
We have had successful exploitable 'exceptions' in the following
places;
SQL server appears to use its own dynamic heap management, which
makes exploitation different from a standard heap overflow. Using
a custom heap management routines means that the standard heap
protections mechanisms are not in place.
Solution
Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx
Legals
The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.
Insomnia Security Vulnerability Advisory: ISVA-080709.1