• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Product Search

Remote buffer overflow in DCOM VB T-SQL debugger
BV-014
Published: 2001-03-27 00:00:00
Updated: 2001-03-30 00:00:00

BindView Security Advisory
--------

Remote buffer overflow in DCOM VB T-SQL debugger
Issue Date:  March 27, 2001
Contact:  tsabin@razor.bindview.com

Topic:
Remote buffer overflow in DCOM VB T-SQL debugger

Overview:
Microsoft Developer Studio version 6 installs a world-launchable DCOM
object, known as the VB T-SQL Debugger, which contains an exploitable
buffer overflow.

Affected Systems:
Windows NT and Windows 2000 systems with Microsoft Developer Studio 6

Impact:
Remote attackers without credentials can run arbitrary code on the
target with the credentials of the user currently logged in at the
target.

Details:

Microsoft Developer Studio installs a variety of DCOM components.  One
in particular is the "VB T-SQL Debugger Object".  It is installed to
run as "Interactive User", which means that when it is launched, it
runs with the credentials of the currently logged on user.  It also
allows Everyone to start and access it remotely.

The purpose of this DCOM object is not documented, nor are any of the
methods that it supports.  However, by examining the type library that
it includes, the methods and their parameters can be examined.  One of
the methods the VB T-SQL debugger provides is the NewSPID method,
which looks like this:

HRESULT NewSPID([in] long spid,
                [in] long pid,
                [in] BSTR lpctstrDbName,
                [in] short cbName,
                [out, retval] short* nReturn);

The purpose of this call is apparently to create a new stored
procedure id in the given database, but that's just conjecture.
Anyway, this method contains a classic buffer overflow, due to an
unchecked call to sprintf using the passed in lpctstrDbName.  Passing
in a dbname over approximately 128 characters in length will overwrite
the stack frame.  From that point, it's relatively easy to return to
an address that will call into the exploit code on the stack.  Just
find a "call esp" somewhere in the address space, and return there.

Workarounds:

Remove the Everyone:Launch and Everyone:Access permissions from the VB
T-SQL Appid key under HKCR\Appid.  Restrict the permissions to SYSTEM
and Admins only.

Recommendations:

Determine whether the VB T-SQL Debugger Object is installed on your
systems.  To do this, run dcomcnfg and look for it in the list of
applications.  Alternatively, look for the registry key
HKCR\Appid\{124765aa-7866-11cf-bf3b-00a0d10003fa}.  If it exists
either remove it, or restrict the launch and access permissions
specified there.

Install the hotfix from Microsoft.

References:

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-018.asp

Microsoft's Hotfix:
http://msdn.microsoft.com/vstudio/downloads/debugging/default.asp

Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=281297
(may take a couple days to appear)


CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2001-0153 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.