Alert: Microsoft Security Bulletin - MS02-030
From: Russ (Russ.Cooper@RC.ON.CA)Date: 06/13/02
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-028"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Jun 2002 18:00:20 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-030.asp
Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)
Originally posted: June 12, 2002
Summary
Who should read this bulletin: System administrators using Microsoft® SQL Server(tm) 2000.
Impact of vulnerability: Two vulnerabilities, the most serious of which could run code of attacker's choice.
Maximum Severity Rating: Moderate
Recommendation: System administrators who have enabled SQLXML and enabled data queries over HTTP should install the patch immediately.
Affected Software:
- Microsoft SQLXML, which ships as part of SQL Server 2000 and can be downloaded separately.
Technical description:
SQLXML enables the transfer of XML data to and from SQL Server 2000. Database queries can be returned in the form of XML documents which can then be stored or transferred easily. Using SQLXML, you can access SQL Server 2000 using XML through your browser over HTTP.
Two vulnerabilities exist in SQLXML:
- An unchecked buffer vulnerability in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server.
- A vulnerability in a function specifying an XML tag that could allow an attacker to run script on the user's computer with higher privilege. For example, a script might be able to be run in the Intranet Zone instead of the Internet Zone.
Mitigating factors:
Unchecked buffer in SQLXML ISAPI extension:
- The administrator must have set up a virtual directory structure and naming used by the SQLXML HTTP components on an IIS Server. The vulnerability gives no means for an attacker to obtain the directory structure.
- The attacker must know the location of the virtual directory on the IIS Server that has been specifically set up for SQLXML. Script injection via XML tag:
- For an attack to succeed, the user must have privileges on the SQL Server.
- The attacker must know the address of the SQL Server on which the user has privileges.
- The attacker must lure the user to a website under their control.
- Queries submitted via HTTP are not enabled by default.
- Microsoft best practices recommends against allowing ad hoc URL queries against the database through a virtual root.
- The script will run in the user's browser according to the IE security zone used to connect with the IIS Server hosting the SQLXML components. In most cases, this will be the Intranet Zone.
Vulnerability identifiers:
- Unchecked buffer in SQLXML ISAPI extension - CAN-2002-0186
- Script injection via XML tag - CAN-2002-0187
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-028"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
