Vulnerability Note VU#508387
Microsoft SQL Server contains SQL injection vulnerability in replication stored procedures
Overview
Microsoft SQL Server contains multiple SQL injection vulnerabilities that allow database users to leverage administrative privileges on a single database to execute SQL queries or operating system commands with greater privileges.
Description
Microsoft SQL Server provides a scripting construct known as a "stored procedure" that can execute a collection of server commands together. The SQL Server ships with several stored procedures, two of which contain an SQL injection vulnerability. This type of vulnerability occurs when an application does not properly validate user input before embedding the input into an SQL query. If an attacker submits crafted input containing an SQL query, the application may execute the attacker's query instead of the intended query. According to Microsoft Security Bulletin MS02-038, this vulnerability occurs in two unspecified stored procedures that are used for replicating SQL data between separate servers. An unspecified parameter of these stored procedures will permit a user with db_owner privileges to execute SQL queries on the server or operating system commands on the server host. One of the two stored procedures contains an additional access control flaw that permits exploitation of this vulnerability by any user with an interactive login session. To exploit this vulnerability, an attacker must convince an administrator to enable the "SQL Server Agent Proxy" account, which is normally disabled. |
Impact
This vulnerability allows attackers with limited administrative privileges to execute SQL queries on the server or operating system commands on the server host with the privileges of the SQL Server Agent Proxy account. |
Solution
Apply a patch This vulnerability also affects any products that include the Microsoft Desktop Engine (MSDE) 2000. For more information, please see |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | 24 Jul 2002 | 25 Jul 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.microsoft.com/technet/security/bulletin/ms02-038.asp
- http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333
- http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp
- http://www.securityfocus.com/bid/5309
Credit
This vulnerability was reported to Microsoft by Cesar Cerrudo.
This document was written by Jeffrey P. Lanza and is based upon information provided by Microsoft.
Other Information
- CVE IDs: CAN-2001-0645
- Date Public: 24 Jul 2002
- Date First Published: 25 Jul 2002
- Date Last Updated: 06 Feb 2003
- Severity Metric: 2.66
- Document Revision: 16
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.