MS02-056 : Cumulative Patch for SQL Server (Q316333)


Recommended Posts

- ----------------------------------------------------------------------

Title: Cumulative Patch for SQL Server (Q316333)

Date: 02 October 2002

Software: Microsoft SQL Server 7.0

Microsoft Data Engine (MSDE) 1.0

Microsoft SQL Server 2000

Microsoft Desktop Engine (MSDE) 2000

Impact: Four vulnerabilities, the most serious of which could

enable an attacker to gain control over an affected

server.

Max Risk: Critical

Bulletin: MS02-056

Microsoft encourages customers to review the Security Bulletin at:

http://www.microsoft.com/technet/security/...in/MS02-056.asp

- ----------------------------------------------------------------------

Issue:

======

This is a cumulative patch that includes the functionality of all

previously released patches for SQL Server 7.0, SQL Server 2000, and

Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE)

2000. In addition, it eliminates four newly discovered vulner- abilities.

* A buffer overrun in a section of code in SQL Server 2000

(and MSDE 2000) associated with user authentication. By

sending a specially malformed login request to an affected

server, an attacker could either cause the server to fail or

gain the ability to overwrite memory on the server, thereby

potentially running code on the server in the security context

of the SQL Server service. It would not be necessary for the

user to successfully authenticate to the server or to be able

to issue direct commands to it in order to exploit the

vulnerability.

* A buffer overrun vulnerability that occurs in one of the

Database Console Commands (DBCCs) that ship as part of SQL

Server 7.0 and 2000. In the most serious case, exploiting

this vulnerability would enable an attacker to run code in

the context of the SQL Server service, thereby giving the

attacker complete control over all databases on the server.

* A vulnerability associated with scheduled jobs in SQL Server

7.0 and 2000. SQL Server allows unprivileged users to create

scheduled jobs that will be executed by the SQL Server Agent.

By design, the SQL Server Agent should only perform job

steps that are appropriate for the requesting user's priv-

ileges. However, when a job step requests that an output file

be created, the SQL Server Agent does so using its own priv-

ileges rather than the job owners privileges. This creates a

situation in which an unprivileged user could submit a job

that would create a file containing valid operating system

commands in another user's Startup folder, or simply over-

write system files in order to disrupt system operation

The patch also changes the operation of SQL Server, to prevent

non-administrative users from running ad hoc queries against

non-SQL OLEDB data sources. Although the current operation does

not represent a security vulnerability, the new operation makes

it more difficult to misuse poorly coded data providers that might be installed on the server.

Mitigating Factors:

====================

Unchecked buffer in SQL Server 2000 authentication function:

* This vulnerability on affects SQL Server 2000 and MSDE 2000.

Neither SQL Server 7.0 nor MSDE 1.0 are affected.

* If the SQL Server port (port 1433) were blocked at the firewall,

the vulnerability could not be exploited from the Internet.

* Exploiting this vulnerability would allow the attacker to

escalate privileges to the level of the SQL Server service

account. By default, the service runs with the privileges of a

domain user, rather than with system privileges.

Unchecked buffer in Database Console Commands:

* Exploiting this vulnerability would allow the attacker to

escalate privileges to the level of the SQL Server service

account. By default, the service runs with the privileges of a

domain user, rather than with system privileges.

* The vulnerability could only be exploited by an attacker who

could authenticate to an affected SQL Server or has permissions

to execute queries directly to the server

* The vulnerability could only be exploited by an attacker who

could authenticate to an affected SQL Server.

Flaw in output file handling for scheduled jobs:

* The vulnerability could only be exploited by an attacker who

could authenticate to an affected SQL server.

Risk Rating:

============

- Internet systems: Critical

- Intranet systems: Critical

- Client systems: None

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-056.asp

for information on obtaining this patch.

Acknowledgment:

===================

* Issue regarding ad hoc queries against non-SQL OLEDB data

sources:

sk@scan-associates.net and pokleyzz@scan-associates.net

* Unchecked buffer in Database Console Commands:

Martin Rakhmanoff (jimmers@yandex.ru)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS

ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Source: Microsoft Email

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.