DBCC SHOWTABLEAFFINITY buffer overrun
by Martin Rakhmanoff - Tuesday, 22 October 2002.
Martin Rakhmanoff wrote this article to (better) document the process of finding and exploiting buffer overrun bugs. Provided sample code is written for Microsoft SQL Server 2000 Enterprise Edition (English) , version 8.00.665 (Service Pack 2 plus patch 667 released 14 August 2002). The author assumes that SQL Server runs as service.

Undocumented command DBCC SHOWTABLEAFFINITY('table') contains exploitable buffer overrun. Vulnerable software includes Microsoft SQL Server 2000 up to and including version 8.00.665 and all versions of Microsoft SQL Server 7. To exploit this issue one must be able to login into SQL Server and issue T-SQL commands against the RDBMS. When DBCC SHOWTABLEAFFINITY is called with parameter set to 1809 (1917 for version SQL Server 7) symbols, MSSQLSERVER service crashes and (if exploit was thoroughly crafted) attacker's code is executed in context of account used to start SQL Server service. After crash SQL Server error logs won't contain any records about the failure. Windows Event Log will contain log entry about unexpected termination of MSSQLSERVER service. Due to SQL Server architecture server administrators cannot selectively set permissions on DBCC commands, so it is not possible to prevent users from calling this command. At the same time, some DBCC command are protected from being called by ordinal database users.

Download the paper in PDF format here.

Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //