Title: SQL Server Text Formatting Functions Contain unchecked Buffers
Date: 20 December 2001
Software: Microsoft SQL Server 7.0 and Microsoft SQL Server 2000
Impact: Run code of attacker's choice on server, denial of service
Max Risk: Moderate
SQL Server 7.0 and 2000 provide a number of functions that enable
database queries to generate text messages. In some cases, the functions create a text message and store it in a variable; in others, the functions directly display the message. Two vulnerabilities associated with these functions have been discovered.
The first vulnerability results because of a flaw in the functions themselves. Several of the functions don't adequately verify that the requested text will fit into the buffer that's supplied to hold it. A buffer overrun could occur as a result, and could be used either to
run code in the security context of the SQL Server service or to cause the SQL Server service to fail. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.