Title: SQL Server Text Formatting Functions Contain unchecked Buffers
Date: 20 December 2001
Software: Microsoft SQL Server 7.0 and Microsoft SQL Server 2000
Impact: Run code of attacker's choice on server, denial of service
Max Risk: Moderate
Bulletin: MS01-060
SQL Server 7.0 and 2000 provide a number of functions that enable
database queries to generate text messages. In some cases, the functions create a text message and store it in a variable; in others, the functions directly display the message. Two vulnerabilities associated with these functions have been discovered.
The first vulnerability results because of a flaw in the functions themselves. Several of the functions don't adequately verify that the requested text will fit into the buffer that's supplied to hold it. A buffer overrun could occur as a result, and could be used either to
run code in the security context of the SQL Server service or to cause the SQL Server service to fail. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.
View: MS Security Bulletin ID 01060
Date: 20 December 2001
Software: Microsoft SQL Server 7.0 and Microsoft SQL Server 2000
Impact: Run code of attacker's choice on server, denial of service
Max Risk: Moderate
Bulletin: MS01-060
SQL Server 7.0 and 2000 provide a number of functions that enable
database queries to generate text messages. In some cases, the functions create a text message and store it in a variable; in others, the functions directly display the message. Two vulnerabilities associated with these functions have been discovered.
The first vulnerability results because of a flaw in the functions themselves. Several of the functions don't adequately verify that the requested text will fit into the buffer that's supplied to hold it. A buffer overrun could occur as a result, and could be used either to
run code in the security context of the SQL Server service or to cause the SQL Server service to fail. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.
View: MS Security Bulletin ID 01060
The second vulnerability results because of a format string vulnerability in the C runtime functions that the SQL Server functions call when installed on Windows NT(r) 4.0, Windows(r) 2000 or Windows XP. Although format string vulnerabilities often can be exploited to run code of the attacker's choice, that is not true in this case. Because of the specific way this vulnerability occurs, the C Runtime code would always be overrun with the same values regardless of the attacker's inputs. As a result, this vulnerability
could only be used as a denial of service.
An attacker could exploit the vulnerabilities in either of two ways. The most direct way would be for the attacker to simply load and execute a database query that calls one of the affected functions. Alternatively, if a web site or other database front-end would accept and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call an affected function with the appropriate parameters.
Because the two vulnerabilities have different root causes, there are separate patches for each. Microsoft recommends that the SQL Server patch be applied to all affected servers. However, we recommend that customers carefully weigh whether they need to apply the C runtime patch. We make this recommendation for two reasons:
The C runtime vulnerability only allows denial of service attacks, so the threat it poses is somewhat lower. The C runtime plays a crucial role in the operating system itself.
While we are confident that both patches are well-tested, if there were a regression error in the C runtime, the effects would likely be serious and widespread.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.