Home / Blog / Patch Analysis of MS11-002 – CVE-2011-0026

Patch Analysis of MS11-002 – CVE-2011-0026

As per the MS bulletin, a buffer overflow exists in the Data Source Name (DSN) argument of an Open Database Connectivity (ODBC) API that may be used by third-party applications. This vulnerability could allow code execution if a user visited a specially crafted Web page. I decided to investigate how the vulnerability has been fixed. This study enabled us to have a better understanding of the vulnerability, which in turn led to the development of better quality signatures for our customers. I took a vulnerable Windows XP service pack 3 machine and applied the patch issued by Microsoft. When the system is patched many dlls are changed. The advisory was related to the Microsoft Data Access Component, so obvious choice was to investigate odbc32.dll.

As mentioned in the advisory, DSN is providing malicious input for the exploitation of the buffer overflow vulnerability. Since the function SQLconnectW was taking Data Source Name (DSN) as an input, amongst all the changed functions the function SQLconnectW became the obvious choice for investigation.

While investigating the changes between the patched and the unpatched version of the dll, I observed that the function ValidateNullterminatedStringW had been added to restrict the length of the DSN. As shown in the code above the function, it makes a call to StringCchLengthW which performs a length check on DSN, thus preventing the exploitation of buffer overflow later in the code. Based on this analysis we are now able to determine how the function is exploited and use this information to protect clients. Acknowledgement I would like to express my gratitude and thanks to Johnathan for his feedback.

Stephen Coty
About the Author
Stephen Coty

Stephen Coty originally joined Alert Logic as the head of the Threat Research team, where he led the effort to build threat content and deliver threat intelligence. He later became the Chief Security Evangelist for the company. Prior to joining Alert Logic, Coty was the Manager of Cyber Security for Rackspace Hosting, and has held IT positions at multiple companies, including Wells Fargo Bank, Applied Materials, Stanford Medical Center and The Netigy Corporation. He has been in the Information Technology field since 1993. Research has been his primary focus since 2007.

Related Post

Ready to protect your company with Alert Logic MDR?