Patch Analysis of MS11-002 - CVE-2011-0026

As per the MS bulletin, a buffer overflow exists in the Data Source Name (DSN) argument of an Open Database Connectivity (ODBC) API that may be used by third-party applications. This vulnerability could allow code execution if a user visited a specially crafted Web page. I decided to investigate how the vulnerability has been fixed. This study enabled us to have a better understanding of the vulnerability, which in turn led to the development of better quality signatures for our customers. I took a vulnerable Windows XP service pack 3 machine and applied the patch issued by Microsoft. When the system is patched many dlls are changed. The advisory was related to the Microsoft Data Access Component, so obvious choice was to investigate odbc32.dll.

As mentioned in the advisory, DSN is providing malicious input for the exploitation of the buffer overflow vulnerability. Since the function SQLconnectW was taking Data Source Name (DSN) as an input, amongst all the changed functions the function SQLconnectW became the obvious choice for investigation.

While investigating the changes between the patched and the unpatched version of the dll, I observed that the function ValidateNullterminatedStringW had been added to restrict the length of the DSN. As shown in the code above the function, it makes a call to StringCchLengthW which performs a length check on DSN, thus preventing the exploitation of buffer overflow later in the code. Based on this analysis we are now able to determine how the function is exploited and use this information to protect clients. Acknowledgement I would like to express my gratitude and thanks to Johnathan for his feedback.