[NT] Another Cumulative Patch for SQL Server Released

From: support@securiteam.com
Date: 10/04/02


From: support@securiteam.com
To: list@securiteam.com
Date: Fri,  4 Oct 2002 22:21:38 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Another Cumulative Patch for SQL Server Released
------------------------------------------------------------------------

SUMMARY

This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, and
Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 2000. In
addition, it eliminates four newly discovered vulnerabilities.

 * A buffer overrun in a section of code in SQL Server 2000 (and MSDE
2000) associated with user authentication. By sending an especially
malformed login request to an affected server, an attacker could either
cause the server to fail or gain the ability to overwrite memory on the
server, thereby potentially running code on the server in the security
context of the SQL Server service. It would not be necessary for the user
to successfully authenticate to the server or to be able to issue direct
commands to it in order to exploit the vulnerability.

 * A buffer overrun vulnerability that occurs in one of the Database
Console Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In
the most serious case, exploiting this vulnerability would enable an
attacker to run code in the context of the SQL Server service, thereby
giving the attacker complete control over all databases on the server.

 * A vulnerability associated with scheduled jobs in SQL Server 7.0 and
2000. SQL Server allows unprivileged users to create scheduled jobs that
will be executed by the SQL Server Agent. By design, the SQL Server Agent
should only perform job steps that are appropriate for the requesting
user's privileges. However, when a job step requests that an output file
be created, the SQL Server Agent does so using its own privileges rather
than the job owner's privileges. This creates a situation in which an
unprivileged user could submit a job that would create a file containing
valid operating system commands in another user's Startup folder, or
simply overwrite system files in order to disrupt system operation

The patch also changes the operation of SQL Server, to prevent
non-administrative users from running ad hoc queries against non-SQL OLEDB
data sources. Although the current operation does not represent a security
vulnerability, the new operation makes it more difficult to misuse poorly
coded data providers that might be installed on the server.

DETAILS

Affected Software:
 * Microsoft SQL Server 7.0
 * Microsoft Data Engine (MSDE) 1.0
 * Microsoft SQL Server 2000
 * Microsoft Desktop Engine (MSDE) 2000

Mitigating factors:
Unchecked buffer in SQL Server 2000 authentication function:
 * This vulnerability on affects SQL Server 2000 and MSDE 2000. Neither
SQL Server 7.0 nor MSDE 1.0 is affected.
 * If the SQL Server port (port 1433) were blocked at the firewall, the
vulnerability could not be exploited from the Internet.
 * Exploiting this vulnerability would allow the attacker to escalate
privileges to the level of the SQL Server service account. By default, the
service runs with the privileges of a domain user, rather than with system
privileges.

Unchecked buffer in Database Console Commands:
 * Exploiting this vulnerability would allow the attacker to escalate
privileges to the level of the SQL Server service account. By default, the
service runs with the privileges of a domain user, rather than with system
privileges.

 * The vulnerability could only be exploited by an attacker who could
authenticate to an affected SQL Server or has permissions to execute
queries directly to the server

 * The vulnerability could only be exploited by an attacker who could
authenticate to an affected SQL Server.

Flaw in output file handling for scheduled jobs:
 * The vulnerability could only be exploited by an attacker who could
authenticate to an affected SQL server.

Patch availability:
Download locations for this patch
 * Microsoft SQL Server 7.0:
    
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech
 * Microsoft SQL Server 2000:
    
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech

What vulnerabilities are eliminated by this patch?
This is a cumulative patch that, when applied, address all previously
addressed vulnerabilities. In addition, it eliminates three new
vulnerabilities:

 * A vulnerability that could enable an attacker to gain control over a
SQL Server 2000 database.
 * A new variant of a vulnerability originally discussed in Microsoft
Security Bulletin MS02-038, through which an already authenticated user
could gain additional privileges on a SQL Server.
 * A vulnerability through which a user could potentially cause a program
to run when another user subsequently logged onto the system or overwrite
files that the SQL Server Agent service would otherwise have access to.

Is this patch cumulative?
This patch does supersede all previously released security patches
involving the SQL Server 7.0 and SQL Server 2000 database engines.
However, applying this patch is not sufficient by itself to fully secure a
SQL Server:

 * One security fix for SQL Server 2000, discussed in Microsoft Security
Bulletin MS02-035, requires remediation via a tool rather than a patch.
The tool only needs to be run one time, so customers who have previously
run it do not need to take additional action. However, installing this
patch does not cause the tool to be run.

 * The patch does not include any fixes for security vulnerabilities
involving the Microsoft Data Access Components (MDAC) or Online Analytic
Processing (OLAP) technologies for SQL Server. The patches for these
issues (listed in the Caveats section below) must be applied separately.

The Affected Versions section says that Microsoft Desktop Engine (MSDE) is
also affected by these vulnerabilities. What is MSDE?
Microsoft Desktop Engine (MSDE) is a database engine that's built and
based on SQL Server technology, and which ships as part of several
Microsoft products, including Microsoft Visual Studio and Microsoft Office
Developer Edition. There is a direct connection between versions of MSDE
and versions of SQL Server. MSDE 1.0 is based on SQL Server 7.0; MSDE 2000
is based on SQL Server 2000.

Does the patch include any other fixes?
The patch also fixes an issue that, while not a security vulnerability per
se, could nevertheless aid an attacker in taking advantage of a poorly
configured system. Specifically, the patch changes the operation of SQL
Server to restrict unprivileged users to only performing queries against
SQL Server data. In the case where a non-SQL data provider had been
installed on the system, and the driver for the provider did not enforce
proper security, this change would help prevent unprivileged users from
abusing the situation.

Unchecked buffer in SQL Server 2000 authentication function:
What's the scope of this vulnerability?
This is a buffer overrun vulnerability. By sending a especially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would not
be necessary for the user to successfully authenticate to the server in
order to exploit the vulnerability.

This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level.

What causes the vulnerability?
The vulnerability results because a function in SQL Server 2000 (and MSDE
2.0) that handles authentication requests contains an unchecked buffer. By
calling this function with specially chosen parameters, an attacker could
cause a buffer overrun condition to occur.

What authentication requests are you referring to?
Depending on how the server is configured, it may use either of two
methods to authenticate users - SQL Server authentication, or Windows
Authentication. However, before the actual authentication process takes
places, SQL Server exchanges some preliminary information. The
vulnerability lies in one of the functions involved in this preliminary
exchange.

What's wrong with the authentication function?
The function suffers from an unchecked buffer. Because of this, it could
be possible for an attacker to initiate a preliminary exchange in a way
that would overrun the buffer, thereby overwriting memory within the SQL
Server service in the process.

What could this vulnerability enable an attacker to do?
An attacker who was able to successfully exploit this vulnerability could
do either of two things. If he or she provided random data, the effect of
overwriting the service's memory would be to cause it to fail. In the
case, the administrator could restore normal operation by restarting the
SQL Server.

On the other hand, by providing carefully chosen data, the attacker could
modify the SQL Server service to perform new functions he or she chose.
The effect would be to give the attacker full control over the SQL server,
and enable him or her to add, delete or modify data; reconfigure SQL
Server parameters, or take any other desired action on the database.

Who could exploit the vulnerability?
Any user who could engage in an authentication attempt with an affect SQL
Server - whether the attempt was successful or not - could exploit the
vulnerability.

Does that mean that the attacker wouldn't need a valid SQL Server userid
and password to exploit the vulnerability?
Correct. Because of where the vulnerability resides within the
authentication function, the attacker would not need to be able to log
onto the server - he or she would only need to be able to deliver the data
packets that signify the start of an authentication attempt.

Could the vulnerability be exploited from the Internet?
It would depend on whether the attacker could engage in an authentication
exchange. To do this, the SQL Server port (port 1433) would need to be
open at the firewall. If the port were closed (as it should be unless
absolutely necessary), an attacker could not exploit this vulnerability
from the Internet.

I'm running SQL Server 7.0. Could I be affected by this vulnerability?
No. It affects only SQL Server 2000 (and MSDE 2000); it doesn't affect SQL
Server 7.0 (or MSDE 1.0). However, SQL Server 7.0 administrators should
still install the patch, as other vulnerabilities discussed in this
bulletin do affect SQL Server 7.0.

How does the patch address this vulnerability?
The patch institutes proper buffer checking the authentication function.

Unchecked buffer in Database Console Commands:
What's the scope of this vulnerability?
This is a new variant of a vulnerability originally reported in Microsoft
Security Bulletin MS02-038. Like the original vulnerability, this is a
buffer overrun vulnerability, through which it could be possible for an
attacker to either cause the SQL Server to fail or gain complete control
over the database.

What causes the vulnerability?
The vulnerability results because one of the Database Console Command
(DBCC) utilities provided as part of SQL Server contains unchecked buffers
in the section of code that handle user inputs.

What is the Database Console Command (DBCC)?
DBCC's are utility programs provided as part of SQL Server 2000. Their
purpose is to provide database administrators with an easy way to perform
common housekeeping tasks. For instance, DBCCs are available to
de-fragment databases, repair minor errors, show usage statistics, and so
forth. A complete listing of the DBCCs available as part of SQL Server
2000 is included in the SQL Server 2000 online help facility.

How is this vulnerability different from the DBCC vulnerabilities
discussed in Security Bulletin MS02-038?
This vulnerability is identical to the DBCC vulnerabilities discussed in
Microsoft Security Bulletin MS02-038 with one exception. Unlike the DBCCs
discussed in MS02-038, the one affected by this variant could be executed
by any SQL user.

How does the patch address the vulnerability?
The patch institutes proper buffer handling in the affected DBCC.

Flaw in output file handling for scheduled jobs:
What's the scope of this vulnerability?
This vulnerability could enable an attacker to do either of two things:
create a program that would subsequently be executed when another user
logged onto the server, or corrupt system files in an effort to disrupt
system operation.

The vulnerability could only be exploited by an attacker who could
authenticate to the SQL server. In addition, in the first attack scenario
discussed above, the effect of exploiting the vulnerability would depend
on the specific privileges of the user who subsequently logged onto the
system.

What causes the vulnerability?
The vulnerability results because, when the SQL Server Agent creates an
output file as part of a scheduled job, it does so using its own
privileges rather than those of the user who owns the job or a configured
proxy account if the job owner is not a system administrator (sysadmin
server role member) in SQL Server or if the job owner is a standard SQL
server user.

What is the SQL Server Agent?
The SQL Server Agent is responsible for running scheduled jobs, restarting
the database service and other administrative operations.

What's a scheduled job?
Scheduled jobs provide a way to cause the SQL Server to take a designated
action at a particular time. Scheduled jobs are frequently used by
administrators to perform regularly scheduled maintenance tasks such as
backups.

Who can create scheduled jobs?
Any user can create a scheduled job, but the SQL Server Agent will only
execute a particular job step if the requester has appropriate privileges.

What's wrong with the way the SQL Server Agent processes scheduled jobs?
By design, all job steps in a scheduled job should be carried out using
the privileges of the person who submitted the job or, in some cases,
those of a proxy account. However, when a job calls for an output file to
be created, the SQL Server Agent does so using its own privileges. Because
the SQL Server Agent service account is often configured with Windows
administrative privileges, this allows a job to create a file anywhere on
the system, regardless of the user's privileges.

What could this vulnerability enable an attacker to do?
An attacker who successfully exploited the vulnerability could create a
file on the system, for either of two purposes:

 * Disrupting system operation. By overwriting system files with random
data, the attacker could potentially cause the system to fail.

 * Causing other users to run program's of the attacker's choice. By
creating an output file that contained valid operating system commands,
and placing it in the appropriate folder (e.g., another user's Startup
folder), the attacker could cause the commands to be execute the next time
another user logged onto the system.

How could an attacker exploit this vulnerability?
An attacker would only need the ability to log onto an affected server to
exploit the vulnerability. He or she could then create a scheduled job
that creates an output file, submit it, and thereby exploit the
vulnerability.

If the attacker overwrote system files, what would be needed in order to
resume normal operation?
It would depend on which files were overwritten. It might only require
that the administrator restart the service. However, in the worst case,
the administrator might need to restore system files using an emergency
repair disk.

If the attacker created a program in another user's Startup folder, what
could it do?
It would depend on the privileges the user had. Anything the user could
do, the program also could do.

How does the patch address the vulnerability?
The patch causes SQL Server Agent to use the job owner's credentials if
the connection is a Windows Authenticated user, or the proxy account's
credentials if the connection is a SQL Server authenticated user, when
determining who has the right to produce an output file from a job step.
As a result, users' jobs will still be able to create output files, but
only in areas where the user or the proxy account's privileges permit.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_37888_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] SQL Extended Procedure Functions Contain Unchecked Buffers
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SQL Server 7.0 and 2000 provide extended stored procedures, ... Several of the Microsoft-provided extended stored procedures have been ... Exploiting the flaw could enable an attacker to either cause the SQL ...
    (Securiteam)
  • [NT] Vulnerabilities in Microsoft SQL Server Allows Elevation of Privilege (MS08-040)
    ... Get your security news from a reliable source. ... Vulnerabilities in Microsoft SQL Server Allows Elevation of Privilege ... The more serious of the vulnerabilities could allow an attacker to run ... An information disclosure vulnerability exists in the way that SQL Server ...
    (Securiteam)
  • [NT] SQL Server Remote Data Source Function Buffer Overflows
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... One of the features of Structured Query Language in SQL Server 7.0 ... An attacker could exploit this vulnerability in one of two ways. ...
    (Securiteam)
  • [NT] SQL Server 2000 Buffer Overflows and SQL Injection Vulnerabilities
    ... allow maintenance and other operations to be performed on a SQL Server, ... fixed database role can run this command. ... Buffer Overrun Vulnerability in Database Consistency Checkers: ... privileges, and only should be granted to trusted users. ...
    (Securiteam)
  • [NT] Cumulative Patch for SQL Server
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... released patches for SQL Server 2000. ... * A buffer overrun vulnerability in a procedure used to encrypt SQL ... An attacker who was able to successfully ...
    (Securiteam)