RSS

Category: MS SQL Server

Advisory: Privilege Escalation Via Internal SQL Injection In RESTORE DATABASE CommandTeam Shatter Exclusive

Posted April 11, 2012 by Alex Rothacker in MS SQL Server, Security Advisory, Team Shatter Exclusive with 0 comments

AppSecInc Team SHATTER Security Advisory Risk Level: Medium Affected versions: Microsoft SQL Server 2005, 2008, 2008 R2 Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Martin Rakhmanov of Application Security Inc. Details: RESTORE DATABASE command is prone to internal sql injection allowing malicious users to run SQL code with highest privileges. To exploit this vulnerability an attacker must possess CREATE DATABASE privilege to be able to create and restore database. Impact: Users having CREATE DATABASE permission can…

Click for complete article >>

Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities

Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities August 21, 2003 To determine if you should apply this patch, download AppDetective™ for Microsoft SQL Server fromhttp://www.appsecinc.com/products/appdetective/mssql/ Risk Level: High Summary: A Unicode buffer overflow exists in the SQL Server SQL-DMO library that could allow a remote user to execute malicious code on the target computer. The vulnerability does not occur when accepting incoming connections, but rather in the response to broadcast queries. Details: One of the features…

Click for complete article >>

Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities

Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities August 21, 2003 Risk Level: High Summary: A Unicode buffer overflow exists in the SQL Server SQL-DMO library that could allow a remote user to execute malicious code on the target computer. The vulnerability does not occur when accepting incoming connections, but rather in the response to broadcast queries. Details: One of the features of the SQL Server network libraries is the ability to query a list of SQL…

Click for complete article >>

Slammer/Sapphire Worm Analysis

Slammer/Sapphire Worm Analysis January 25, 2003 Risk Level: High Summary: A worm is currently attacking unpatched SQL Server 2000 installations over the Internet. Microsoft SQL Server supports many different network libraries and provides the capability to listen on multiple connection points. These connection points are often assigned by SQL Server dynamically. In order for a client to determine which connection points are available, SQL Server provides a resolution service. This resolution service listens for requests on UDP port 1434. The…

Click for complete article >>

Multiple buffer overflows in DBCC and SQL Injections

Multiple buffer overflows in DBCC and SQL Injections July 26, 2002 Credit: This vulnerability was researched and discovered by Cesar Cerrudo (sqlsec@yahoo.com). Risk Level: Varying from High to Low Summary: Several buffer overflows in the DBCC built-in function and several SQL Injection vulnerabilities have been discovered in Microsoft SQL Server. Three of the buffer overflows are for DBCC calls that can be executable by all valid logins on the server. One of the SQL Injection vulnerabilities can be executed by…

Click for complete article >>

BULK INSERT buffer overflow

Team SHATTER Security Alert   BULK INSERT buffer overflow July 11, 2002 Risk Level: Low Summary: The built-in function BULK INSERT contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of BULK INSERT does not properly handle a long string. Details: Microsoft SQL Server provides a built-in function called BULK INSERT which allows data to be uploaded from a file directly to…

Click for complete article >>

Encoded password written by service pack

Encoded password written by service packJuly 10, 2002 Risk level: Medium Summary: When installing Microsoft SQL Server 2000 or installing a service pack for Microsoft SQL Server 7.0 or 2000, an encoded version of the password used is written to the file setup.iss. This file’s default permissions allow any user able to log on interactively to the operating system to read the file and discover the password. Details: During the installation process of Microsoft SQL Server 7.0 or 2000, a…

Click for complete article >>

Microsoft SQL Server: Spida Worm

Posted January 10, 2002 by egonzales in Database Vendor, MS SQL Server, MS SQL Server, Security Advisory with 0 comments

Team SHATTER Security Alert   Microsoft SQL Server: Spida Worm Risk level: High Summary: A worm has been found in the wild attacking all versions of Microsoft SQL Servers on port 1433. The Spida worm is a self-propagating attack program that discovers SQL Server on the default port 1433. Once found it attempts to connect to sa with a blank password. If successful, it takes control of the machine, collects sensitive information on the local server, and attempts to propagate…

Click for complete article >>
Powered by