Alert: Microsoft Security Bulletin - MS02-056
From: Russ (Russ.Cooper@RC.ON.CA)Date: 10/03/02
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-055"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Oct 2002 22:51:36 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
Cumulative Patch for SQL Server (Q316333)
Originally posted: October 02, 2002
Summary
Who should read this bulletin: System administrators using Microsoft® SQL Server(tm) 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000.
Impact of vulnerability: Four vulnerabilities, the most serious of which could enable an attacker to gain control over an affected server.
Maximum Severity Rating: Critical
Recommendation: System administrators should apply the patch to affected systems.
Affected Software:
- Microsoft SQL Server 7.0
- Microsoft Data Engine (MSDE) 1.0
- Microsoft SQL Server 2000
- Microsoft Desktop Engine (MSDE) 2000
Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, and Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 2000. In addition, it eliminates four newly discovered vulnerabilities.
- A buffer overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated with user authentication. By sending a specially malformed login request to an affected server, an attacker could either cause the server to fail or gain the ability to overwrite memory on the server, thereby potentially running code on the server in the security context of the SQL Server service. It would not be necessary for the user to successfully authenticate to the server or to be able to issue direct commands to it in order to exploit the vulnerability.
- A buffer overrun vulnerability that occurs in one of the Database Console Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server.
- A vulnerability associated with scheduled jobs in SQL Server 7.0 and 2000. SQL Server allows unprivileged users to create scheduled jobs that will be executed by the SQL Server Agent. By design, the SQL Server Agent should only perform job steps that are appropriate for the requesting user's privileges. However, when a job step requests that an output file be created, the SQL Server Agent does so using its own privileges rather than the job owners privileges. This creates a situation in which an unprivileged user could submit a job that would create a file containing valid operating system commands in another user's Startup folder, or simply overwrite system files in order to disrupt system operation
The patch also changes the operation of SQL Server, to prevent non-administrative users from running ad hoc queries against non-SQL OLEDB data sources. Although the current operation does not represent a security vulnerability, the new operation makes it more difficult to misuse poorly coded data providers that might be installed on the server.
Mitigating factors:
Unchecked buffer in SQL Server 2000 authentication function:
- This vulnerability on affects SQL Server 2000 and MSDE 2000. Neither SQL Server 7.0 nor MSDE 1.0 are affected.
- If the SQL Server port (port 1433) were blocked at the firewall, the vulnerability could not be exploited from the Internet.
- Exploiting this vulnerability would allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges.
Unchecked buffer in Database Console Commands:
- Exploiting this vulnerability would allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges.
- The vulnerability could only be exploited by an attacker who could authenticate to an affected SQL Server or has permissions to execute queries directly to the server
- The vulnerability could only be exploited by an attacker who could authenticate to an affected SQL Server.
Flaw in output file handling for scheduled jobs:
- The vulnerability could only be exploited by an attacker who could authenticate to an affected SQL server.
Vulnerability identifiers:
- Unchecked buffer in SQL Server 2000 authentication function: CAN-2002-1123
- Unchecked buffer in Database Console Commands: CAN-2002-1137
- Flaw in output file handling for scheduled jobs: CAN-2002-1138
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-055"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
