Vulnerability Note VU#627275
Microsoft SQL Server contains buffer overflow vulnerabilities in multiple extended stored procedures
Overview
Microsoft SQL Server 7.0 and SQL Server 2000 contain buffer overflow vulnerabilities in multiple extended stored procedures. A remote attacker could cause a denial of service or execute arbitrary code or commands with the privileges of the SQL Server process, potentially gaining complete control over a vulnerable system. An attacker could also manipulate databases stored on a vulnerable system.
Description
Microsoft SQL Server provides a scripting construct known as an "extended stored procedure" that can execute a collection of server commands together. Several of the extended stored procedures included with the Microsoft SQL Server contain buffer overflow vulnerabilities. These procedures provide increased functionality for database applications, allowing them to access operating system or network resources. Parameters are passed to extended stored procedures via an API that specifies the actual and maximum length of various parameter data types. Some of the extended stored procedures fail to adequately validate the length of input parameters, resulting in stack buffer overflow conditions. Since some of the vulnerable procedures are configured by default to allow public access, it is possible for an unauthenticated attacker to exploit one or more of these buffer overflows. SQL Server databases are commonly used in web applications, so the vulnerable procedures may be accessible via the Internet. Microsoft Security Bulletin MS02-020 states An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. |
Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. If the privileges of the service account are elevated via VU#796313, this vulnerability may result in compromise of the server host. |
Solution
Apply patch
|
|
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | 27 Jul 2002 | 29 Jul 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.appsecinc.com/resources/alerts/mssql/02-0000.html
- http://www.microsoft.com/technet/security/bulletin/MS02-020.asp
- http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q319507
- http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=8813
- http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp
Credit
The CERT/CC acknowledges Cesar Cerrudo of Application Security, Inc. for reporting these vulnerabilities, and Bronek Kozicki for reporting the privilege elevation issue.
This document was written by Art Manion and Jeffrey P. Lanza.
Other Information
- CVE IDs: CAN-2002-0154
- CERT Advisory: CA-2002-22
- Date Public: 12 Mar 2002
- Date First Published: 26 Jul 2002
- Date Last Updated: 29 Jul 2002
- Severity Metric: 45.18
- Document Revision: 43
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.