Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution
Multiple vulnerabilities in Microsoft SQL Server could allow remote attackers to access or modify data, compromise SQL Servers, and, in some configurations, compromise the server hosts.
The first vulnerability affects the SQL Server running under a dedicated service account that stores the definition in the Windows registry with permissions allowing the SQL Server to make changes. Attackers with access to the xp_regwrite extended stored procedure can modify this key and cause the SQL Server to use the LocalSystem account as its own service account. This will allow unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account.
The second vulnerability concerns extended stored procedures with a scripting construct that places a collection of commands together. Several of these extended stored procedures allow stack overflows because they do not validate the length of the input paramenters specified by the API.
The third vulnerability exists because the SQL Server provides multiple methods to allow users to authenticate to the SQL databases. When a user supplies a password to the server, a function named pwdencrypt() encrypts the user-supplied password so that it can be compared to the encrypted password stored on the SQL Server. The pwdencrypt() function contains a buffer overflow vulnerability that allows attackers to execute arbitrary code on the SQL Server by using a specially crafted password. Attackers must know a valid user name to successfully exploit this vulnerability.
Finally, the Server Resolution Service (SSRS) contains two buffer overflow vulnerabilities that allow unauthenticated remote attackers to overwrite portions of system memory (the heap in one case, the stack in the other). They can execute arbitrary code by sending a specially crafted request to UDP port 1434. Because attackers can weaken the SQL Server security policy by elevating their privileges to run in the LocalSystem security context, this vulnerability increases the severity of the other vulnerabilities and may enable attackers to compromise the server host as well.
Microsoft SQL Server 2000
Microsoft SQL Server 2000 SP1
Microsoft SQL Server 2000 SP2
Patch: Microsoft Patch Q323875
The SQL Server service needs to be restarted after applying this patch.
Best Practice - Restrict access to business-critical servers
Unprivileged users should not be allowed to interactively log onto business-critical servers.
Source: CVE CAN-2002-0649
Source: CERT CA-2002-22
Source: Security Focus.com 5310
Source: Security Focus.com 5311
Source: Microsoft MS02-039
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.