WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Multiple Microsoft SQL Server Vulnerabilities

Risk
High

Date Discovered
10-02-2002

Description
Microsoft has released a security bulletin reporting multiple vulnerabilities in Microsoft SQL Server.

The first of these issues is a buffer overflow in SQL Server user authentication. It is possible to corrupt memory with a malformed login request. This may enable an attacker to execute arbitrary code with the privileges of the SQL Server process. Malformed login requests may also cause a denial of service. It is possible to trigger this condition prior to authenticating with the server. This issue affects Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000.

The second issue is a buffer overflow in one of the Database Console Commands (DBCCs) that ship with the vulnerable products. This issue may be exploited to execute arbitrary code with the privileges of the SQL Server process. Authentication is required to exploit this vulnerability. The issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000.

The third issue is related to how the affected products handle scheduled jobs. The SQL Server Agent may be instructed to create an output file during a job step. The output file will be created with the privileges of the SQL Server Agent, instead of the privileges of the user who scheduled the job. As a result, a malicious authenticated user could schedule a job step which creates a malicious output file in an attacker-specified directory. This may potentially be exploited to allow for execution of operating system commands with elevated privileges. An attacker will also be able to cause sensitive files to be corrupted. This issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000.

Platforms Affected
Microsoft Access 2000
Microsoft BackOffice 4.5
Microsoft Project Central Server
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft Visual Studio 6.0
Microsoft Windows 2000 Workstation
Microsoft Windows 2000 Workstation SP1
Microsoft Windows 2000 Workstation SP2
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 SP1
Microsoft Windows NT 4.0 SP2
Microsoft Windows NT 4.0 SP3
Microsoft Windows NT 4.0 SP4
Microsoft Windows NT 4.0 SP5
Microsoft Windows NT 4.0 SP6
Microsoft Windows NT 4.0 SP6a

Components Affected
Microsoft Data Engine 1.0
Microsoft Data Engine 2000
Microsoft SQL Server 7.0 SP4
Microsoft SQL Server 7.0 SP3
Microsoft SQL Server 7.0 SP2
Microsoft SQL Server 7.0 SP1
Microsoft SQL Server 7.0
Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 SP1
Microsoft SQL Server 2000

Recommendations
Block external access at the network boundary, unless service is required by external parties.
Blocking access to the SQL Server port (1433) at the network boundary may prevent exploitation of some of these issues.

Permit privileged access for trusted inividuals only.
Ensure database access controls are in place. Permit access for trusted individuals only.

Microsoft has released fixes:


Microsoft Data Engine 1.0:
Microsoft Data Engine 2000 :
Microsoft SQL Server 7.0 SP4:

Microsoft Patch Q327068
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech

Microsoft SQL Server 7.0 SP3:
Microsoft SQL Server 7.0 SP2:
Microsoft SQL Server 7.0 SP1:
Microsoft SQL Server 7.0:
Microsoft SQL Server 2000 SP2:
Microsoft Patch Q316333
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech

Microsoft SQL Server 2000 SP1:
Microsoft SQL Server 2000 :

References
Source: Microsoft Security Bulletin MS02-056
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp

Credits
Discovery of these issues is credited to <sk@scan-associates.net>, <pokleyzz@scan-associates.net> and Martin Rakhmanoff <jimmers@yandex.ru>.

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2010 Symantec Corporation