Alert: Microsoft Security Bulletin - MS02-020
From: Russ (Russ.Cooper@RC.ON.CA)Date: 04/18/02
- Previous message: Bob Lochen: "Free HFNetChkPro Invitation"
- Next in thread: Bronek Kozicki: "Re: Microsoft Security Bulletin - MS02-020"
- Reply: Bronek Kozicki: "Re: Microsoft Security Bulletin - MS02-020"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Apr 2002 20:50:26 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-020.asp
SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507)
Originally posted: April 17, 2002
Summary
Who should read this bulletin: Database administrators using Microsoft® SQL Server(tm)
Impact of vulnerability: Run code of attacker's choice
Maximum Severity Rating: Moderate
Recommendation: Apply the patch immediately to affected systems
Affected Software:
- Microsoft SQL Server 7.0
- Microsoft SQL Server 2000
Technical description:
SQL Server 7.0 and 2000 provide for extended stored procedures, which are external routines written in a programming language such as C. These procedures appear to users as normal stored procedures and are executed in the same way. SQL Server 7.0 and 2000 include a number of extended stored procedures which are used for various helper functions
Several of the Microsoft-provided extended stored procedures have a flaw in common - namely, they fail to perform input validation correctly, and are susceptible to buffer overruns as a result Exploiting the flaw could enable an attacker to either cause the SQL Server service to fail, or to cause code to run in the security context in which SQL Server is running. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.
An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.
Mitigating factors:
- The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achieve.
- The vector for exploiting this vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing.
Vulnerability identifier: CAN-2002-0154
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Bob Lochen: "Free HFNetChkPro Invitation"
- Next in thread: Bronek Kozicki: "Re: Microsoft Security Bulletin - MS02-020"
- Reply: Bronek Kozicki: "Re: Microsoft Security Bulletin - MS02-020"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
