Multiple Vulnerabilities in Microsoft SQL Server, Microsoft SQL Server Desktop Engine 2000, and Microsoft Data Engine 1.0

Reported October 2, 2002, byMicrosoft.

VERSIONS AFFECTED

·        Microsoft SQL Server 2000

·        Microsoft SQL Server 7.0

·        Microsoft SQL Server Desktop Engine 2000

·        Microsoft Data Engine 1.0

DESCRIPTION

Three new vulnerabilities exist in SQL Server, MicrosoftSQL Server Desktop Engine 2000, and Microsoft Data Engine 1.0, the most seriousof which could let an attacker execute arbitrary code on the vulnerable system.These vulnerabilities are

·        a buffer overrun in a section of code in SQL Server 2000and Microsoft SQL Server Desktop Engine 2000 associated with userauthentication—By sending a specially malformed logon request to an affectedserver, an attacker can either cause the server to fail or gain the ability tooverwrite the server's memory and potentially run code on the server in the SQLServer service's security context. This vulnerability doesn't require theattacker to successfully authenticate to the server or to be able to issuedirect commands to the server.

·        a buffer overrun vulnerability that occurs in one of theDatabase Console Commands that ship as part of SQL Server 2000 and 7.0—Byexploiting this vulnerability, an attacker can run code in the SQL Serverservice's security context.

·        a vulnerability associated with SQL Server 2000 and 7.0scheduled jobs—By default, SQL Server lets unprivileged users create scheduledjobs that the SQL Server Agent executes. A vulnerability stems from the factthat when a job step requests that an output file be created, the SQL ServerAgent does so using its own privileges rather than the job owner's privileges.As a result, an unprivileged user can submit a job that either creates a filecontaining valid OS commands in another user’s Startup folder or overwritessystem files to disrupt system operations.

VENDOR RESPONSE

The vendor, Microsoft,has released Security Bulletin MS02-056(Cumulative Patch for SQL Server) to address these vulnerabilities andrecommends that affected users immediately apply the appropriate patch mentionedin the bulletin. The patch changes the operation of SQL Server toprevent nonadministrative users from running ad hoc queries against non-SQL OLEDB data sources. This new operation helps prevent misuse of poorly coded dataproviders that might be installed on the server.

CREDIT

Discovered by [email protected],[email protected]and Martin Rakhmanoff.