SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#508387

Microsoft SQL Server contains SQL injection vulnerability in replication stored procedures

Overview

Microsoft SQL Server contains multiple SQL injection vulnerabilities that allow database users to leverage administrative privileges on a single database to execute SQL queries or operating system commands with greater privileges.

I. Description

Microsoft SQL Server provides a scripting construct known as a "stored procedure" that can execute a collection of server commands together. The SQL Server ships with several stored procedures, two of which contain an SQL injection vulnerability. This type of vulnerability occurs when an application does not properly validate user input before embedding the input into an SQL query. If an attacker submits crafted input containing an SQL query, the application may execute the attacker's query instead of the intended query.

According to Microsoft Security Bulletin MS02-038, this vulnerability occurs in two unspecified stored procedures that are used for replicating SQL data between separate servers. An unspecified parameter of these stored procedures will permit a user with db_owner privileges to execute SQL queries on the server or operating system commands on the server host. One of the two stored procedures contains an additional access control flaw that permits exploitation of this vulnerability by any user with an interactive login session. To exploit this vulnerability, an attacker must convince an administrator to enable the "SQL Server Agent Proxy" account, which is normally disabled.

II. Impact

This vulnerability allows attackers with limited administrative privileges to execute SQL queries on the server or operating system commands on the server host with the privileges of the SQL Server Agent Proxy account.

III. Solution

Apply a patch


Microsoft has published Security Bulletin MS02-038 to address this vulnerability. For more information, please see


This vulnerability also affects any products that include the Microsoft Desktop Engine (MSDE) 2000. For more information, please see

Systems Affected
VendorStatusDate Updated
Microsoft CorporationVulnerable25-Jul-2002

References


http://www.microsoft.com/technet/security/bulletin/ms02-038.asp
http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp
http://www.securityfocus.com/bid/5309

Credit

This vulnerability was reported to Microsoft by Cesar Cerrudo.

This document was written by Jeffrey P. Lanza and is based upon information provided by Microsoft.

Other Information

Date Public07/24/2002
Date First Published07/25/2002 06:47:56 PM
Date Last Updated02/06/2003
CERT Advisory 
CVE NameCAN-2001-0645
US-CERT Technical Alerts 
Metric2.66
Document Revision16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader