Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: m-044.txt

MS SQL Server Unchecked Buffers (CIAC M-044)




             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

     Microsoft SQL Server Remote Data Source Function Contains Unchecked Buffers
                     [Microsoft Security Bulletin MS02-007]

February 21, 2002 19:00 GMT                                       Number M-044
______________________________________________________________________________
PROBLEM:       An unchecked buffer exists in the handling of OLE DB provider, 
               which are low-level data source providers, in ad hoc connections.
               A buffer overrun could occur. 
PLATFORM:      Microsoft SQL Server 7.0 and 2000 
DAMAGE:        If exploited, an attacker could cause the SQL Server service to 
               fail or cause code to run in the security context of the SQL 
               Server. 
SOLUTION:      Apply available patch 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. Exploiting this vulnerability would depend 
ASSESSMENT:    on specific configuration of the SQL Server service. If the 
               rule of least privilege has been followed, it would minimize 
               the amount of damage an attacker could achive. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-044.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/security/bulletin/MS02-007.asp 
 PATCHES:                                                                     
                     http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268 
                     http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-007 *****]



Microsoft Security Bulletin MS02-007   


SQL Server Remote Data Source Function Contain Unchecked Buffers
Originally posted: February 20, 2002

Summary

Who should read this bulletin: Database administrators using Microsoft® SQL Server™. 

Impact of vulnerability: Run code of attacker's choice on server 

Maximum Severity Rating: Moderate 

Recommendation: Apply the SQL Server patch immediately to affected systems 

Affected Software: 

Microsoft SQL Server 7.0 
Microsoft SQL Server 2000 



Technical details


Technical description: 


One of the features of Structured Query Language (SQL) in SQL Server 7.0 and 2000 is 
the ability to connect to remote data sources. One capability of this feature is the 
ability to use "ad hoc" connections to connect to remote data sources without setting 
up a linked server for less-often used data-sources. This is made possible through the 
use of OLE DB providers, which are low-level data source providers. This capability is 
made possible by invoking the OLE DB provider directly by name in a query to connect 
to the remote data source. 

An unchecked buffer exists in the handling of OLE DB provider names in ad hoc 
connections. A buffer overrun could occur as a result and could be used to either 
cause the SQL Server service to fail, or to cause code to run in the security context 
of the SQL Server. SQL Server can be configured to run in various security contexts, 
and by default runs as a domain user. The precise privileges the attacker could gain 
would depend on the specific security context that the service runs in. 

An attacker could exploit this vulnerability in one of two ways. They could attempt to 
load and execute a database query that calls one of the affected functions. 
Conversely, if a web-site or other database front-end were configured to access and 
process arbitrary queries, it could be possible for an attacker to provide inputs that 
would cause the query to call one of the functions in question with the appropriate 
malformed parameters. 

Mitigating factors: 

The effect of exploiting the vulnerability would depend on the specific configuration 
of the SQL Server service. SQL Server can be configured to run in a security context 
chosen by the administrator. By default, this context is as a domain user. If the rule 
of least privilege has been followed, it would minimize the amount of damage an 
attacker could achieve. 

Both vectors for exploiting the vulnerability could be blocked by following best 
practices. Specifically, untrusted users should not be able to load and execute 
queries of their choice on a database server. In addition, publicly accessible 
database queries should filter all inputs prior to processing. 

Severity Rating:
		Internet Servers	Intranet Servers	Client Systems 
SQL Server 7.0 	Moderate 		Moderate 		Moderate 
SQL Server 2000	Moderate		Moderate		Moderate 
The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. While the vulnerability could potentially allow an attacker to run 
code on the server, best practices should limit the ability to exploit the 
vulnerability and the damage that could be achieved by a successful attack. 

Vulnerability identifier: CAN-2002-0056 

Tested Versions:
Microsoft tested SQL Server 7.0 and 2000 to assess whether they are affected by these 
vulnerabilities. Previous versions are no longer supported, and may or may not be 
affected by these vulnerabilities.



Patch availability

Download locations for this patch SQL Server 7.0: 

The patch for this issue is available in the SQL Server 7.0 Cumulative Security patch 
at http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268 

SQL Server 2000: 

The patch for this issue is available in the SQL Server 2000 Cumulative Security patch 
at http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 



Additional information about this patch

Installation platforms: 

The SQL Server 7.0 patch can be installed on systems running SQL Server 7.0 Service 
Pack 3.
 
The SQL Server 2000 patch can be installed on systems running SQL Server 2000 Service 
Pack 2. 


Inclusion in future service packs:

SQL Server 7.0 Service Pack 4 

SQL Server 2000 Service Pack 3. 

Reboot needed: 
No. The SQL Server service only needs to be restarted after applying the patch. 

Superseded patches: 
MS01-060 

Verifying patch installation: SQL Server 7.0: 

To ensure that you have properly installed the fix, run the following command from the 
command prompt: 

"SELECT @@VERSION" (without the quotation marks) 

If the patch has been correctly installed, the resulting output will indicate the 
version number as "SQL Server 7.00 - 7.00.1021" or greater. 

To verify the individual files, consult the date/time stamp of the files listed in the 
file manifest in Microsoft Knowledge Base article Q317979. 


SQL Server 2000: 
To ensure that you
 have properly installed the fix, run the following command from the 
command prompt: 

"SELECT @@VERSION" (without the quotation marks) 

If the patch has been correctly installed, the resulting output will indicate the 
version number as "SQL Server 8.00 - 8.00.0578" or greater. 

To verify the individual files, consult the date/time stamp of the files listed in the 
file manifest in Microsoft Knowledge Base article Q317979. 


Caveats:
None 

Localization:
The patches can be applied to all supported SQL Server languages. Localized Readme.txt 
files are included in the packages for installation instructions in all supported 
languages. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

All patches available via WindowsUpdate also are available in a redistributable form 
from the WindowsUpdate Corporate site. 


Other information: 

Support: 

Microsoft Knowledge Base article Q317979 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles can 
be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is no 
charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In 
no event shall Microsoft Corporation or its suppliers be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. 

Revisions: 


V1.0 (February 20, 2002): Bulletin Created. 


[***** End Microsoft Security Bulletin MS02-007 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-034: Window File Wiping Utilities Miss Alternate Data Streams
M-035: Red Hat Linux "rsync" Vulnerability
M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability
M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module 
M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability
M-039: Microsoft Telnet Server Buffer Overflow Vulnerability
M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions
M-041: Microsoft Internet Explorer Cumulative Patch
M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP
M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH