Microsoft SQL Server extended procedure function buffer overflow allows DoS or arbitrary code

Risk
High

Date Discovered
03-28-2002

Description
Microsoft SQL Server 7.0 and 2000 extended stored procedures contain buffer overflow vulnerabilities that could be exploited to crash the SQL Server resulting in a denial of service (DoS) or, potentially, permit arbitrary code execution.

Extended stored procedures are used to perform tasks related to the interaction of SQL Server with the external operating environment. An extended stored procedure, implemented in a DLL that is called at runtime by an application, is used in much the same way as normal database stored procedures. Database queries can pass data to these procedures, which can return results as well as status.

Several of the extended stored procedures provided by SQL Server do not correctly process user input. The procedures fail to do proper bounds checking of the input. To exploit these vulnerabilities, an attacker could construct a query that calls an affected function and overflows the buffer. This could cause the SQL Server to crash or, potentially, permit the attacker to run arbitrary code in the security context of the SQL Server.

There are mitigating factors that affect the overall impact of successful exploitation of this vulnerability:

• SQL Server can be configured to run in a security context in accordance with the rule of least privilege. This limits the actions an attacker could take when mounting an attack.
• Attackers need to have the ability to load and run a query of their own on the server, or be able to pass information of their own choosing into an existing query within the system.

Platforms Affected
Windows

Components Affected
Microsoft SQL Server 7.0 and 2000

Install the Microsoft Cumulative Security Patch for SQL Server 7.0
Installing the Microsoft Cumulative Security Patch for SQL Server eliminates this and previously detected security vulnerabilities as well. Select the appropriate patch for your specific application.

Install the Microsoft Cumulative Security Patch for SQL Server 2000
Installing the Microsoft Cumulative Security Patch for SQL Server eliminates this and previously detected security vulnerabilities as well. Select the appropriate patch for your specific application.

Best Practice: Least Privilege
Least Privilege requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. Applying this principle will limit the damage that can result from either accident, error, or unauthorized use of an information system.

References
Source: Microsoft MS02-020
URL: http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp

Source: Microsoft Knowledge Base Q319507
URL: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q319507

Source: CAN 2002-0154
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0154

Source: Security Focus.com
URL: http://www.securityfocus.com/bid/4231

Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.