Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Thu Aug 15 2002 - 15:51:08 CDT
Cumulative Patch for SQL Server (Q316333)
Originally posted: August 14, 2002
Who should read this bulletin: System administrators using Microsoft® SQL Server(tm) 7.0 and 2000 and Microsoft Desktop Engine 1.0 and 2000.
Impact of vulnerability: Elevation of privilege.
Maximum Severity Rating: Moderate
Recommendation: System administrators should apply the patch to affected systems.
- Microsoft SQL Server 7.0
- Microsoft Desktop Engine (MSDE) 1.0
- Microsoft SQL Server 2000
- Microsoft Desktop Engine (MSDE) 2000
This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0 and SQL Server 2000. In addition, it eliminates a newly discovered vulnerability.
SQL Server 7.0 and SQL Server 2000 provide for extended stored procedures, which are external routines written in programming languages such as C or C#. These procedures appear as normal stored procedures to users and can be invoked and executed just like normal stored procedures. By default, SQL Server 7.0 and SQL Server 2000 ship with a number of extended stored procedures which are used for various helper functions.
Some of the Microsoft-provided extended stored procedures that have the ability to reconnect to the database as the SQL Server service account have a flaw in common - namely, they have weak permissions that can allow non-privileged users to execute them. Because these extended stored procedures can be made to run with administrator privileges on the database, it is thus possible for a non-privileged user to run stored procedures on the database with administrator privileges.
An attacker could exploit this vulnerability in one of two ways. The attacker could attempt to load and execute a database query that calls one of the affected extended store procedures. Alternately, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.
- The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achieve.
- The vector for exploiting this vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing.
Vulnerability identifier: CAN-2002-0721
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor