Insomnia Security Vulnerability Advisory: ISVA-080709.1

__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-080709.1
___________________________________________________________________

 Name: Microsoft SQL Server - Corrupt Backup File Heap Overflow
 Released: 09 July 2008
  
 Vendor Link: 
    http://www.microsoft.com/sql/default.mspx
  
 Affected Products:
    MS SQL Server 2005, possibly previous versions
 
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-080709.1.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

Microsoft SQL Server contains a buffer overflow that can be reached
by causing the server to attempt a database restore from a corrupt
backup file.

This can be triggered by a user with PUBLIC access through the 
RESTORE TSQL statement, available through the console as well as
through a vulnerable SQL statement on a web server (sql injection) 

By default the service runs under the NETWORK SERVICE account but
has the ability to impersonate through tokens, and therefore
can gain full LOCAL SYSTEM account access.

_______________

 Details
_______________

The following TSQL statement can be called by any user with PUBLIC
access.

	RESTORE FILELISTONLY FROM DISK = 'path to file'

By hosting a corrupt SQL database backup on a remote file share
it is possible to force the target server to open the file, parse
it, and corrupt the internal heap.

Obviously the target SQL server must have egress availability to 
connect out through SMB or webdav functionality.

The SQL backup format consists of multiple chunks of data which 
follow a basic structure of
  
  struct backupChunk {
        unsigned long nametag;
        unsigned long size;
   }

The nametag describes the type of tag (ex.SCIN, SFGI, MQCI, etc).
The size corresponds to the size of the complete chunk size which 
includes the 8byte chunk header.

The parsing function goes through  file using the backupChunk->size 
field to point to the next valid chunk.

-------------------------------------------------------------------
022E5FE2 PUSH EAX
022E5FE3 MOV EAX, [ESP+18h]
022E5FE7 PUSH EAX
022E5FE8 PUSH ESI
022E5FE9 CALL EDX ;<- This loads the 8byte header of the block
022E5FEB PUSH EBX
022E5FEC MOV ECX,ESI
-------------------------------------------------------------------

If the size field is larger than the current buffer, a check 
prevents the application from overflowing.

-------------------------------------------------------------------
Size Check
022E6063 MOV EAX,DWORD PTR DS:[EDX+4]  ;<- Load Size	
022E6066 MOV ECX,DWORD PTR SS:[ESP+14] ;<- Load Buffer Size
022E606A SUB ECX,EAX
022E606C JS SHORT sqlservr.022E6076
022E606E CMP EAX,DWORD PTR DS:[EBX+C8] ;<- Compare against 0x2000
022E6074 JBE SHORT sqlservr.022E60DC   ;<- Jump to continuation
-------------------------------------------------------------------

After this size comparison, the size is adjusted to subtract the
size of the 8byte structure header.

-------------------------------------------------------------------
The size decrease
022E60DC MOV ECX,DWORD PTR SS:[ESP+10]
022E60E0 MOV EDI,DWORD PTR DS:[ECX+4]
022E60E3 SUB EDI,8                    ; <- Subtract 8 bytes
022E60E6 CMP DWORD PTR DS:[EBX+40],0
022E60EA JA SHORT sqlservr.022E6107
-------------------------------------------------------------------

If the structure size was a value between 0 and 7 then an Integer 
Underflow/Overflow/Wraparound/Whatever will occur, and the 
'negative' large value is passed directly into the StartRead
function.

-------------------------------------------------------------------
The write
022E6115 MOV EDX,DWORD PTR DS:[EDX+60]
022E6118 PUSH EDI                ; <- Push the new 'negative' size
022E6119 PUSH EAX
022E611A MOV EAX,DWORD PTR SS:[ESP+18]
022E611E ADD EAX,8
022E6121 PUSH EAX
022E6122 PUSH ESI
022E6123 CALL EDX                ;  call StartRead
022E6125 PUSH EBX
-------------------------------------------------------------------

StartRead, among other things, uses the size value in a call to 
_memcpy, that will read the available data from the file 
overflowing the buffer and overwriting heap memory.

-------------------------------------------------------------------
022D44BC MOV EBX,[EBP+arg_4]
022D44BF PUSH ESI              ; <- The 'negative' size
022D44C0 PUSH EAX              ; void *
022D44C1 PUSH EBX              ; void *
022D44C2 CALL _MEMCPY          ; <- Call to memcpy
-------------------------------------------------------------------

The result of exploitation is that heap memory is overflowed. 

We have had successful exploitable 'exceptions' in the following 
places;

-------------------------------------------------------------------
A 'write 4'
0116D35A JE sqlservr.011C6BCE
0116D360 MOV EAX,DWORD PTR DS:[EAX+C]
0116D363 MOV ECX,DWORD PTR SS:[EBP-10]
0116D366 MOV EDX,DWORD PTR DS:[ECX+C0]
0116D36C MOV DWORD PTR DS:[EDX],EAX   ; <- Control of EDX and EAX
-------------------------------------------------------------------

-------------------------------------------------------------------
Function Call
014AEA5F MOV EAX,DWORD PTR DS:[EDX+C] ; <- Control EDX
014AEA62 CALL EAX
014AEA64 TEST EAX,EAX
014AEA66 JE SHORT sqlservr.014AEA70
-------------------------------------------------------------------

-------------------------------------------------------------------
Function Call
011F9D08 MOV EAX,DWORD PTR DS:[EDX+58] ; <- Control EDX
011F9D0B CALL EAX
011F9D0D MOV ECX,DWORD PTR DS:[ESI+10]
-------------------------------------------------------------------

SQL server appears to use its own dynamic heap management, which 
makes exploitation different from a standard heap overflow. Using
a custom heap management routines means that the standard heap
protections mechanisms are not in place. 

_______________

 Solution
_______________

Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
 Insomnia Security Vulnerability Advisory: ISVA-080709.1
___________________________________________________________________