Microsoft SQLXML ISAPI远程缓冲区溢出漏洞(MS02-030)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106783 漏洞类型 边界条件错误
发布时间 2002-06-12 更新时间 2006-09-01
CVE编号 CVE-2002-0186 CNNVD-ID CNNVD-200207-017
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21540
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200207-017
|漏洞详情
SQLXMLISAPI可以使IIS服务器能够从SQL服务器接受或向其输出XML数据,从而以XML的格式返回查询请求。SQLXMLISAPI实现上存在缓冲区溢出漏洞,远程攻击者可能通过溢出攻击在主机上以SYSTEM权限执行任意指令。当使用SQLXML的"sql="语法进行SQL查询的时候,用户可以指定某些参数来影响返回的XML输出,其中的一个参数为content-type。如果提交一个超长的content-type值给IIS,服务器程序可能会崩溃,精心构造成提交的数据可能导致远程攻击者在主机上以SYSTEM进程的权限在主机上执行任意指令。Anormalrequestlookslike(inthiscase,adirectsql=query)。一个正常的请求是可能如下这个样子:IIS-server/demos?sql=select+*+from+Customers+as+Customer+FOR+XML+auto&root=root&xsl=custtable.xsl&contenttype=text/html如果content-type的值大于240个字符则可能使inetinfo.exe崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/5004/info

SQLXML is a component of SQL Server 2000, which enables SQL servers to receive and send database queries via XML (Extensible Markup Language) format. Such queries can be sent using various methods of communication, one of which is via HTTP. SQLXML HTTP components reside in a virtual directory on a web server and are not enabled by default, SQLXML ISAPI extensions run with LocalSystem privileges.

A buffer overflow issue has been discovered in the SQLXML ISAPI extension that handles data queries over HTTP(SQLXML HTTP).

It is possible for a user to initiate the overflow by connecting to a host and submitting malformed data.

This issue has been reported to exist in SQL Server 2000 Gold, other versions may be vulnerable as well. 

IIS-Server/Nwind/Template/catalog.xml?contenttype=text/AAAA...AAA

This uses a 'template' file instead of a direct query to cause inetinfo.exe to crash.
|参考资料

来源:US-CERTVulnerabilityNote:VU#811371
名称:VU#811371
链接:http://www.kb.cert.org/vuls/id/811371
来源:MS
名称:MS02-030
链接:http://www.microsoft.com/technet/security/bulletin/ms02-030.asp
来源:VULNWATCH
名称:20020613[VulnWatch]wp-02-0007:MicrosoftSQLXMLISAPIOverflowandCrossSiteScripting
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0100.html
来源:BID
名称:5004
链接:http://www.securityfocus.com/bid/5004
来源:OSVDB
名称:5347
链接:http://www.osvdb.org/5347
来源:XF
名称:mssql-sqlxml-isapi-bo(9328)
链接:http://www.iss.net/security_center/static/9328.php
来源:BUGTRAQ
名称:20020613wp-02-0007:MicrosoftSQLXMLISAPIOverflowandCrossSiteScripting
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102397345410856&w=2
来源:USGovernmentResource:oval:org.mitre.oval:def:489
名称:oval:org.mitre.oval:def:489
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:489
来源:USGovernmentResource:oval:org.mitre.oval:def:484
名称:oval:org.mitre.oval:def:484
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval