Notes on the SQL Cumulative patch

From: David Litchfield (david@NGSSOFTWARE.COM)
Date: 10/03/02


Date:         Thu, 3 Oct 2002 15:56:37 +0100
From: David Litchfield <david@NGSSOFTWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

The cumulative patch at
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave
Aitel's (www.immunitysec.com) "hello" bug (unauthenticated buffer overflow
during authentication) is patched here.

Also addressed is the file overwrite vulnerability discussed here
http://www.nextgenss.com/advisories/mssql-jobs2.txt

The Microsoft advisory states that "operating system" commands can be
inserted into files - the implication being that batch files can be dropped
into startup folders. This is not true for SQL Server 2000. The text of the
file created is UNICODE, i.e. each character taking two bytes with the
second byte being a NULL. This NULL prevents OS commands from being
executed. The risk posed to SQL Server 2000 systems then is file overwrite
such as ntoskrnl.exe

Please note that I have not tested this on SQL Server 7 and what MS says may
be true about being able to run OS commands on this version - I have a
feeling it is not, though.

It is important that the patch be installed as soon as is possible to fix
Dave Aitel's issue but for the file overwrite issue drop public access from
the relevant stored procedures in the interim as a workaround:

revoke execute on sp_add_job from public
revoke execute on sp_add_jobstep from public
revoke execute on sp_add_jobserver from public
revoke execure on sp_start_job from public

Cheers,
David Litchfield
A check for these issues already exists in NGSSQuirreL
(http://www.nextgenss.com/software/ngssquirrel.html ) and an update is being
made now to cover the other two issues.



Relevant Pages

  • [VulnWatch] Notes on the SQL Cumulative patch
    ... The cumulative patch at ... Also addressed is the file overwrite vulnerability discussed here ... This is not true for SQL Server 2000. ... revoke execute on sp_add_jobstep from public ...
    (VulnWatch)
  • Notes on the SQL Cumulative patch
    ... The cumulative patch at ... Also addressed is the file overwrite vulnerability discussed here ... This is not true for SQL Server 2000. ... revoke execute on sp_add_jobstep from public ...
    (Bugtraq)
  • Re: [VulnWatch] Notes on the SQL Cumulative patch
    ... People in Immunity's Vulnerability Disclosure Club or people who have ... purchased CORE Impact or people who have written their own SQL Server ... The risk posed to SQL Server 2000 systems then is file overwrite ... > revoke execute on sp_add_jobstep from public ...
    (Bugtraq)