WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution


Date Discovered

Multiple vulnerabilities in Microsoft SQL Server could allow remote attackers to access or modify data, compromise SQL Servers, and, in some configurations, compromise the server hosts.

The first vulnerability affects the SQL Server running under a dedicated service account that stores the definition in the Windows registry with permissions allowing the SQL Server to make changes. Attackers with access to the xp_regwrite extended stored procedure can modify this key and cause the SQL Server to use the LocalSystem account as its own service account. This will allow unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account.

The second vulnerability concerns extended stored procedures with a scripting construct that places a collection of commands together. Several of these extended stored procedures allow stack overflows because they do not validate the length of the input paramenters specified by the API.

The third vulnerability exists because the SQL Server provides multiple methods to allow users to authenticate to the SQL databases. When a user supplies a password to the server, a function named pwdencrypt() encrypts the user-supplied password so that it can be compared to the encrypted password stored on the SQL Server. The pwdencrypt() function contains a buffer overflow vulnerability that allows attackers to execute arbitrary code on the SQL Server by using a specially crafted password. Attackers must know a valid user name to successfully exploit this vulnerability.

Finally, the Server Resolution Service (SSRS) contains two buffer overflow vulnerabilities that allow unauthenticated remote attackers to overwrite portions of system memory (the heap in one case, the stack in the other). They can execute arbitrary code by sending a specially crafted request to UDP port 1434. Because attackers can weaken the SQL Server security policy by elevating their privileges to run in the LocalSystem security context, this vulnerability increases the severity of the other vulnerabilities and may enable attackers to compromise the server host as well.

Platforms Affected

Components Affected
Microsoft SQL Server 2000
Microsoft SQL Server 2000 SP1
Microsoft SQL Server 2000 SP2

Patch: Microsoft Patch Q323875

The SQL Server service needs to be restarted after applying this patch.

Best Practice - Restrict access to business-critical servers

Unprivileged users should not be allowed to interactively log onto business-critical servers.

Source: CVE CAN-2002-0649
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0649

Source: CERT CA-2002-22
URL: http://www.cert.org/advisories/CA-2002-22.html

Source: Security Focus.com 5310
URL: http://online.securityfocus.com/bid/5310

Source: Security Focus.com 5311
URL: http://online.securityfocus.com/bid/5311

Source: Microsoft MS02-039
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-039.asp

Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.