Martin Rakhmanoff wrote this article to (better) document the process of finding and exploiting buffer overrun bugs. Provided sample code is written for Microsoft SQL Server 2000 Enterprise Edition (English) , version 8.00.665 (Service Pack 2 plus patch 667 released 14 August 2002). The author assumes that SQL Server runs as service.

Undocumented command DBCC SHOWTABLEAFFINITY(‘table’) contains exploitable buffer overrun. Vulnerable software includes Microsoft SQL Server 2000 up to and including version 8.00.665 and all versions of Microsoft SQL Server 7. To exploit this issue one must be able to login into SQL Server and issue T-SQL commands against the RDBMS. When DBCC SHOWTABLEAFFINITY is called with parameter set to 1809 (1917 for version SQL Server 7) symbols, MSSQLSERVER service crashes and (if exploit was thoroughly crafted) attacker’s code is executed in context of account used to start SQL Server service. After crash SQL Server error logs won’t contain any records about the failure. Windows Event Log will contain log entry about unexpected termination of MSSQLSERVER service. Due to SQL Server architecture server administrators cannot selectively set permissions on DBCC commands, so it is not possible to prevent users from calling this command. At the same time, some DBCC command are protected from being called by ordinal database users.

Download the paper in PDF format here.

Don't miss