Software Engineering Institute

Notified:  January 09, 2003 Updated: March 13, 2003

Status

Affected

Vendor Statement

Vulnerability Note VU#247545
Buffer overflow vulnerability in Protegrity Secure.Data for Microsoft SQL Server

Overview

Protegrity Secure.Data for Microsoft SQL Server 2000 exposes a buffer overflow vulnerability in the Microsoft SQL extended stored procedures xp_pty_checkusers, xp_pty_insert, and xp_pty_select.

I. Description

Here's an example of a possible buffer overflow situation in which Secure.Data for Microsoft SQL Server 2000 could be vulnerable:

DECLARE @test varchar(8000)
SET @test = (SELECT replicate('x',1926))
execute master.dbo.xp_pty_checkusers 'as', @test

DECLARE @test varchar(8000)
SET @test = (SELECT replicate('x',850))
execute master.dbo.xp_pty_insert @test, @test, @test

DECLARE @test varchar(8000)
SET @test = (SELECT replicate('x',850))
execute master.dbo.xp_pty_select @test, @test, @test
II. Impact

A non-privileged user can gain administrative access to the database and cause a denial of service attack.

III. Solution

1. The following Secure.Data for SQL Server 2000 releases are affected by this vulnerability.
   
   

   Secure.Data version 2.2.2.0 for SQL Server 2000
   Secure.Data version 2.2.3.0 for SQL Server 2000

2. A patch release is now available for the above mentioned releases. All Protegrity customers having one or both of these releases will automatically receive the patch from our Global Support Team along with installation instructions. Following are the installation instructions for applying the patch to Secure.Data version 2.2.3.0 for SQL Server 2000.

    Purpose
   
   This patch release is for Secure.Data Server version 2.2.3.0 for SQL Server 2000. The patch includes a new protegrity.dll file which fixes a buffer overflow vulnerability in the extended store procedures xp_pty_checkusers, xp_pty_insert, and xp_pty_select. (TD4182)

    How to check if this patch should be installed
   
   This patch should be installed if the version number of the existing protegrity.dll is less than 2.2.3.9. Follow these simple steps to check the version number of the existing protegrity.dll file.

   1. Locate the file protegrity.dll. In a default installation the file is found in C:\Program Files\Protegrity\Secure.Data Server\Cartridge\Lib.
   2. Right click on the file and choose Properties.
   3. Click on the version tab.
   4. If the file has a version less than 2.2.3.9 this patch must be applied. (i.e if the last digit is less than 9.)

    How to install the patch
   
   To install the patch the new protegrity.dll must replace the old one:
   

   1. Shut down the Protegrity Secure.Data Server from the Control Panel.
   2. Shut down the SQL Server.
   3. Replace the old protegrity.dll by copying the new file to the same location as the old. In a default installation the file is found in C:\Program Files\Protegrity\Secure.Data Server\Cartridge\Lib.
   4. Start the SQL Server.
   5. Start the Protegrity Secure.Data Server.


3. Any customers that purchase Protegrity Secure.Data for SQL Server 2000 after 2/21/2003 will not be affected by this vulnerability, as the patch has already been included in a new service release, Secure.Data version 2.2.3.1 for SQL Server 2000.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.