Vulnerability Note VU#627275

Microsoft SQL Server contains buffer overflow vulnerabilities in multiple extended stored procedures

Overview

Microsoft SQL Server 7.0 and SQL Server 2000 contain buffer overflow vulnerabilities in multiple extended stored procedures. A remote attacker could cause a denial of service or execute arbitrary code or commands with the privileges of the SQL Server process, potentially gaining complete control over a vulnerable system. An attacker could also manipulate databases stored on a vulnerable system.

I. Description

Microsoft SQL Server provides a scripting construct known as an "extended stored procedure" that can execute a collection of server commands together. Several of the extended stored procedures included with the Microsoft SQL Server contain buffer overflow vulnerabilities. These procedures provide increased functionality for database applications, allowing them to access operating system or network resources.

Parameters are passed to extended stored procedures via an API that specifies the actual and maximum length of various parameter data types. Some of the extended stored procedures fail to adequately validate the length of input parameters, resulting in stack buffer overflow conditions. Since some of the vulnerable procedures are configured by default to allow public access, it is possible for an unauthenticated attacker to exploit one or more of these buffer overflows. SQL Server databases are commonly used in web applications, so the vulnerable procedures may be accessible via the Internet. Microsoft Security Bulletin MS02-020 states

An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.

II. Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. If the privileges of the service account are elevated via VU#796313, this vulnerability may result in compromise of the server host.

III. Solution

Apply patch

Microsoft has published Security Bulletin MS02-020 to address this vulnerability. For more information, please see

http://www.microsoft.com/technet/security/bulletin/MS02-020.asp

Disable vulnerable procedures

Disable (drop) the vulnerable extended stored procedures. Note that this may affect functionality, and that the CERT/CC has not verified the list of vulnerable procedures referenced in the Application Security, Inc. report.

Systems Affected

Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	29-Jul-2002

References

http://www.appsecinc.com/resources/alerts/mssql/02-0000.html
http://www.microsoft.com/technet/security/bulletin/MS02-020.asp
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q319507
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=8813
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp

Credit

The CERT/CC acknowledges Cesar Cerrudo of Application Security, Inc. for reporting these vulnerabilities, and Bronek Kozicki for reporting the privilege elevation issue.

This document was written by Art Manion and Jeffrey P. Lanza.

Other Information

Date Public	03/12/2002
Date First Published	07/26/2002 03:48:03 AM
Date Last Updated	07/29/2002
CERT Advisory	CA-2002-22
CVE Name	CAN-2002-0154
US-CERT Technical Alerts
Metric	45.18
Document Revision	43

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader