Vulnerability Note VU#627275

Microsoft SQL Server contains buffer overflow vulnerabilities in multiple extended stored procedures

Original Release date: 26 Jul 2002 | Last revised: 29 Jul 2002

Overview

Microsoft SQL Server 7.0 and SQL Server 2000 contain buffer overflow vulnerabilities in multiple extended stored procedures. A remote attacker could cause a denial of service or execute arbitrary code or commands with the privileges of the SQL Server process, potentially gaining complete control over a vulnerable system. An attacker could also manipulate databases stored on a vulnerable system.

Description

Microsoft SQL Server provides a scripting construct known as an "extended stored procedure" that can execute a collection of server commands together. Several of the extended stored procedures included with the Microsoft SQL Server contain buffer overflow vulnerabilities. These procedures provide increased functionality for database applications, allowing them to access operating system or network resources.

Parameters are passed to extended stored procedures via an API that specifies the actual and maximum length of various parameter data types. Some of the extended stored procedures fail to adequately validate the length of input parameters, resulting in stack buffer overflow conditions. Since some of the vulnerable procedures are configured by default to allow public access, it is possible for an unauthenticated attacker to exploit one or more of these buffer overflows. SQL Server databases are commonly used in web applications, so the vulnerable procedures may be accessible via the Internet. Microsoft Security Bulletin MS02-020 states

An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.

Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. If the privileges of the service account are elevated via VU#796313, this vulnerability may result in compromise of the server host.

Solution

Apply patch


Microsoft has published Security Bulletin MS02-020 to address this vulnerability. For more information, please see


Disable vulnerable procedures

Disable (drop) the vulnerable extended stored procedures. Note that this may affect functionality, and that the CERT/CC has not verified the list of vulnerable procedures referenced in the Application Security, Inc. report.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected27 Jul 200229 Jul 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC acknowledges Cesar Cerrudo of Application Security, Inc. for reporting these vulnerabilities, and Bronek Kozicki for reporting the privilege elevation issue.

This document was written by Art Manion and Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2002-0154
  • CERT Advisory: CA-2002-22
  • Date Public: 12 Mar 2002
  • Date First Published: 26 Jul 2002
  • Date Last Updated: 29 Jul 2002
  • Severity Metric: 45.18
  • Document Revision: 43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.