Original release date: July 29, 2002<br> Last revised: February 5, 2003<br> Source: CERT/CC<br> <p>A complete revision history can be found at the end of this file.</p> <br> <a name="affected"></a> <h3>Systems Affected</h3> <ul> <li>Microsoft SQL Server 7.0</li> <li>Microsoft SQL Server 2000</li> <li>Microsoft Desktop Engine (MSDE) 2000</li> <li>Any <A HREF="http://www.microsoft.com/technet/security/MSDEapps.asp">application</a> that includes MSDE</li> </ul> <br> <a name="overview"></a> <h2>Overview</h2> <p>The Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts. These vulnerabilities are public and have been addressed by Microsoft Security Bulletins, but we believe their collective severity warrants additional attention. <br> <a name="description"></a> <h2>I. Description</h2> <p>Since December 2001, Microsoft has published eight <a href="http://www.microsoft.com/technet/security/current.asp">Microsoft Security Bulletins</a> regarding more than a dozen vulnerabilities in the Microsoft SQL Server. This document provides information on the five most serious of these vulnerabilities; references to the remainder are provided in <a href="#vulnotes">Appendix B</a>. <p>In isolation, many of these vulnerabilities have significant preconditions that are difficult for an attacker to overcome. However, when exploited in combination, they allow attackers to gain additional flexibility and increase their chances for success. In particular, the privilege escalation vulnerability described in VU#796313 allows an attacker to weaken the security policy of the SQL server by granting it the same privileges as the operating system. With full administrative privileges, a compromised Microsoft SQL Server can be used to take control of the server host. <p>The CERT/CC encourages system administrators to take this opportunity to review the security of their Microsoft SQL servers and to apply the appropriate patches from the Microsoft bulletins listed in Appendix B. <b> <p><a href="http://www.kb.cert.org/vuls/id/796313">VU#796313</a> - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges </b>(<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0642">CAN-2002-0642</a>) <blockquote> <p>The Microsoft SQL Server typically runs under a dedicated "service account" that is defined by system administrators at installation time. This definition is stored in the Windows registry with permissions that allow the SQL Server to change the value of the registry key. As a result, attackers with access to the "xp_regwrite" extended stored procedure can alter this registry key and cause the SQL Server to use the LocalSystem account as its service account. <p>Upon rebooting the server host or restarting the SQL service, the SQL Server will run with the full administrative privileges of the LocalSystem account. This ability allows a remote attacker to submit SQL queries that can execute any command on the system with the privileges of the operating system. </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/225555">VU#225555</a> - Microsoft SQL Server contains buffer overflow in pwdencrypt() function </b>(<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0624">CAN-2002-0624</a>) <blockquote> <p>The Microsoft SQL Server provides multiple methods for users to authenticate to SQL databases. When SQL Server Authentication is used, the username and password of each database user is stored in a database on the SQL server. When users supply a password to the server using this method, a function named pwdencrypt() is responsible for encrypting the user-supplied password so that it can be compared to the encrypted password stored on the SQL server. <p>There is a buffer overflow in pwdencrypt() that allows remote attackers to execute arbitrary code on the SQL server by supplying a crafted password value. Successful exploitation of this vulnerability requires knowledge of a valid username and will cause the supplied code to execute with the privileges of the SQL service account. </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/627275">VU#627275</a> - Microsoft SQL Server extended stored procedures contain buffer overflows </b>(<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0154">CAN-2002-0154</a>) <blockquote> <p>Microsoft SQL Server provides a scripting construct known as an "extended stored procedure" that can execute a collection of server commands together. Several of the extended stored procedures included with the Microsoft SQL Server contain buffer overflow vulnerabilities. These procedures provide increased functionality for database applications, allowing them to access operating system or network resources. <p>Parameters are passed to extended stored procedures via an API that specifies the actual and maximum length of various parameter data types. Some of the extended stored procedures fail to adequately validate the length of input parameters, resulting in stack buffer overflow conditions. <p>Since some of the vulnerable procedures are configured by default to allow public access, it is possible for an unauthenticated attacker to exploit one or more of these buffer overflows. SQL Server databases are commonly used in web applications, so the vulnerable procedures may be accessible via the Internet. Microsoft Security Bulletin <a href="http://www.microsoft.com/technet/security/bulletin/MS02-020.asp">MS02-020</a> states <blockquote><i>An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.</i></blockquote> </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/399260">VU#399260</a> - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service </b>(<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0649">CAN-2002-0649</a>) <blockquote> <p>The SQL Server Resolution Service (SSRS) was introduced in Microsoft SQL Server 2000 to provide referral services for multiple server instances running on the same machine. The service listens for requests on UDP port 1434 and returns the IP address and port number of the SQL server instance that provides access to the requested database. <p>The SSRS contains a heap buffer overflow that allows unauthenticated remote attackers to execute arbitrary code by sending a crafted request to port 1434/udp. The code within such a request will be executed by the server host with the privileges of the SQL Server service account. </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/484891">VU#484891</a> - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service </b>(<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0649">CAN-2002-0649</a>) <blockquote> <p>The SSRS also contains a stack buffer overflow that allows unauthenticated remote attackers to execute arbitrary code by sending a crafted request to port 1434/udp. The code within such a request will be executed by the server host with the privileges of the SQL Server service account. </blockquote> <br> <a name="impact"></a> <h2>II. Impact</h2> <b> <p><a href="http://www.kb.cert.org/vuls/id/796313">VU#796313</a> - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges </b> <blockquote> <p>As a precondition, this vulnerability requires the ability to modify the SQL service account registry key (for example, via the "xp_regwrite" extended stored procedure). Attackers must convince an administrator to grant this access, or they must obtain it by exploiting one of the vulnerabilities listed in this advisory. <p>This vulnerability allows attackers to weaken the security policy of the SQL Server by elevating its privileges and causing it to run in the LocalSystem security context. As a side effect, it increases the severity of the other vulnerabilities listed in this advisory and may enable attackers to compromise the server host as well. </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/225555">VU#225555</a> - Microsoft SQL Server contains buffer overflow in pwdencrypt() function </b> <blockquote> <p>This vulnerability allows remote attackers with knowledge of a valid username to execute arbitrary code with the privileges of the SQL service account. </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/627275">VU#627275</a> - Microsoft SQL Server extended stored procedures contain buffer overflows </b> <blockquote> <p>This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/399260">VU#399260</a> - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service </b> <blockquote> <p>This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/484891">VU#484891</a> - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service </b> <blockquote> <p>This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. </blockquote> <br> <a name="solution"></a> <h2>III. Solution</h2> <h4>Apply a patch from Microsoft</h4> <b> <p><a href="http://www.kb.cert.org/vuls/id/796313">VU#796313</a> - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges </b> <b> <br><a href="http://www.kb.cert.org/vuls/id/225555">VU#225555</a> - Microsoft SQL Server contains buffer overflow in pwdencrypt() function </b> <blockquote> <p>Microsoft has published Security Bulletin MS02-034 to address these vulnerabilities. For more information, please see <blockquote><a href="http://www.microsoft.com/technet/security/bulletin/MS02-034.asp">http://www.microsoft.com/technet/security/bulletin/MS02-034.asp</a> </blockquote> </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/627275">VU#627275</a> - Microsoft SQL Server extended stored procedures contain buffer overflows </b> <blockquote> <p>Microsoft has published Security Bulletin MS02-020 to address this vulnerability. For more information, please see <blockquote><a href="http://www.microsoft.com/technet/security/bulletin/MS02-020.asp">http://www.microsoft.com/technet/security/bulletin/MS02-020.asp</a> </blockquote> </blockquote> <b> <p><a href="http://www.kb.cert.org/vuls/id/399260">VU#399260</a> - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service </b> <b> <br><a href="http://www.kb.cert.org/vuls/id/484891">VU#484891</a> - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service </b> <blockquote> <p>Microsoft has published Security Bulletin MS02-039 to address these vulnerabilities. For more information, please see <blockquote><a href="http://www.microsoft.com/technet/security/bulletin/MS02-039.asp">http://www.microsoft.com/technet/security/bulletin/MS02-039.asp</a> </blockquote> </blockquote> <!-- end apply patch section --> <h4>Block external access to Microsoft SQL Server ports</h4> <p>As a workaround, it is possible to limit exposure to these vulnerabilities by restricting external access to Microsoft SQL Servers on ports 1433/tcp, 1433/udp, 1434/tcp, and 1434/udp. Note that <a href="http://www.kb.cert.org/vuls/id/399260">VU#399260</a> and <a href="http://www.kb.cert.org/vuls/id/484891">VU#484891</a> can be exploited using UDP packets with forged source addresses that appear to belong to legitimate services, so system administrators should restrict all incoming packets sent to 1434/udp. <br> <a name="vendors"></a> <h2>Appendix A. - Vendor Information</h2> <p>This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.</p> <br> <a name="vulnotes"></a> <h2>Appendix B. - CERT Vulnerability Notes sorted by Microsoft Security Bulletin ID</h2> <p>This appendix contains a list of CERT Vulnerability Notes sorted in reverse chronological order by their corresponding Microsoft Security Bulletin IDs. System administrators should use this list to ensure that each of the patches listed in these bulletins have been applied. </p> <b><a href="http://www.microsoft.com/technet/security/bulletin/MS02-039.asp">MS02-039</a> : Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)<br></b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/399260">VU#399260</a> - Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service</dd> <dd><a href="http://www.kb.cert.org/vuls/id/484891">VU#484891</a> - Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service</dd> <dd><a href="http://www.kb.cert.org/vuls/id/370308">VU#370308</a> - Microsoft SQL Server 2000 contains denial-of-service vulnerability in SQL Server Resolution Service</dd> </dl> <!-- end MS bulletin --> <b><a href="http://www.microsoft.com/technet/security/bulletin/MS02-038.asp">MS02-038</a> : Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution (Q316333)<br></b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/279323">VU#279323</a> - Microsoft SQL Server contains buffer overflows in several Database Consistency Checkers</dd> <dd><a href="http://www.kb.cert.org/vuls/id/508387">VU#508387</a> - Microsoft SQL Server contains SQL injection vulnerability in replication stored procedures</dd> </dl> <!-- end MS bulletin --> <b> <a href="http://www.microsoft.com/technet/security/bulletin/MS02-035.asp">MS02-035</a> : SQL Server Installation Process May Leave Passwords on System (Q263968) </b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/338195">VU#338195</a> - Microsoft SQL Server installation process leaves sensitive information on system</dd> </dl> <!-- end MS bulletin --> <b><a href="http://www.microsoft.com/technet/security/bulletin/MS02-034.asp">MS02-034</a> : Cumulative Patch for SQL Server (Q316333)<br> </b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/225555">VU#225555</a> - Microsoft SQL Server contains buffer overflow in pwdencrypt() function</dd> <dd><a href="http://www.kb.cert.org/vuls/id/682620">VU#682620</a> - Microsoft SQL Server contains buffer overflow in code used to process "BULK INSERT" queries</dd> <dd><a href="http://www.kb.cert.org/vuls/id/796313">VU#796313</a> - Microsoft SQL Server service account registry key has weak permissions that permit escalation of privileges</dd> </dl> <!-- end MS bulletin --> <b><a href="http://www.microsoft.com/technet/security/bulletin/MS02-030.asp">MS02-030</a> : Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911) </b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/811371">VU#811371</a> - Microsoft SQLXML ISAPI filter vulnerable to buffer overflow via <i>contenttype</i> parameter</dd> <dd><a href="http://www.kb.cert.org/vuls/id/139931">VU#139931</a> - Microsoft SQLXML HTTP components vulnerable to cross-site scripting via <i>root</i> parameter</dd> </dl> <!-- end MS bulletin --> <b><a href="http://www.microsoft.com/technet/security/bulletin/MS02-020.asp">MS02-020</a> : SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507)<br> </b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/627275">VU#627275</a> - Microsoft SQL Server extended stored procedures contain buffer overflows</dd> </dl> <!-- end MS bulletin --> <b><a href="http://www.microsoft.com/technet/security/bulletin/MS02-007.asp">MS02-007</a> : SQL Server Remote Data Source Function Contain Unchecked Buffers<br> </b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/619707">VU#619707</a> - Microsoft SQL Server contains buffer overflows in openrowset and opendatasource</dd> macros </dl> <!-- end MS bulletin --> <b><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-060.asp">MS01-060</a> : SQL Server Text Formatting Functions Contain Unchecked Buffers </b> <dl> <dd><a href="http://www.kb.cert.org/vuls/id/700575">VU#700575</a> - Buffer overflows in Microsoft SQL Server 7.0 and SQL Server 2000</dd> </dl> <!-- end MS bulletin --> <br> <a name="refs"></a> <h2>Appendix C. - References</h2> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS02-007.asp">http://www.microsoft.com/technet/security/bulletin/MS02-007.asp</a> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS02-020.asp">http://www.microsoft.com/technet/security/bulletin/MS02-020.asp</a> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS02-030.asp">http://www.microsoft.com/technet/security/bulletin/MS02-030.asp</a> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS02-034.asp">http://www.microsoft.com/technet/security/bulletin/MS02-034.asp</a> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS02-035.asp">http://www.microsoft.com/technet/security/bulletin/MS02-035.asp</a> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS02-038.asp">http://www.microsoft.com/technet/security/bulletin/MS02-038.asp</a> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS02-039.asp">http://www.microsoft.com/technet/security/bulletin/MS02-039.asp</a> <br><a href="http://www.microsoft.com/technet/security/bulletin/MS01-060.asp">http://www.microsoft.com/technet/security/bulletin/MS01-060.asp</a> <br><a href="http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333">http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333</a> <br><a href="http://support.microsoft.com/support/misc/kblookup.asp?id=Q319507">http://support.microsoft.com/support/misc/kblookup.asp?id=Q319507</a> <br><a href="http://support.microsoft.com/support/misc/kblookup.asp?id=Q323875">http://support.microsoft.com/support/misc/kblookup.asp?id=Q323875</a> <br><a href="http://www.microsoft.com/technet/security/MSDEapps.asp">http://www.microsoft.com/technet/security/MSDEapps.asp</a> <br><a href="http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp">http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp</a> <br><a href="http://www.appsecinc.com/resources/alerts/mssql/02-0000.html">http://www.appsecinc.com/resources/alerts/mssql/02-0000.html</a> <br><a href="http://www.nextgenss.com/vna/ms-sql.txt">http://www.nextgenss.com/vna/ms-sql.txt</a> <br><a href="http://www.theregister.co.uk/content/4/26086.html">http://www.theregister.co.uk/content/4/26086.html</a> <br><a href="http://www.securityfocus.com/bid/5014">http://www.securityfocus.com/bid/5014</a> <br><a href="http://www.securityfocus.com/bid/5204">http://www.securityfocus.com/bid/5204</a> <br><a href="http://www.securityfocus.com/bid/5205">http://www.securityfocus.com/bid/5205</a> <br><a href="http://www.kb.cert.org/vuls/id/139931">http://www.kb.cert.org/vuls/id/139931</a> <br><a href="http://www.kb.cert.org/vuls/id/225555">http://www.kb.cert.org/vuls/id/225555</a> <br><a href="http://www.kb.cert.org/vuls/id/279323">http://www.kb.cert.org/vuls/id/279323</a> <br><a href="http://www.kb.cert.org/vuls/id/338195">http://www.kb.cert.org/vuls/id/338195</a> <br><a href="http://www.kb.cert.org/vuls/id/370308">http://www.kb.cert.org/vuls/id/370308</a> <br><a href="http://www.kb.cert.org/vuls/id/399260">http://www.kb.cert.org/vuls/id/399260</a> <br><a href="http://www.kb.cert.org/vuls/id/484891">http://www.kb.cert.org/vuls/id/484891</a> <br><a href="http://www.kb.cert.org/vuls/id/508387">http://www.kb.cert.org/vuls/id/508387</a> <br><a href="http://www.kb.cert.org/vuls/id/619707">http://www.kb.cert.org/vuls/id/619707</a> <br><a href="http://www.kb.cert.org/vuls/id/627275">http://www.kb.cert.org/vuls/id/627275</a> <br><a href="http://www.kb.cert.org/vuls/id/682620">http://www.kb.cert.org/vuls/id/682620</a> <br><a href="http://www.kb.cert.org/vuls/id/700575">http://www.kb.cert.org/vuls/id/700575</a> <br><a href="http://www.kb.cert.org/vuls/id/796313">http://www.kb.cert.org/vuls/id/796313</a> <br><a href="http://www.kb.cert.org/vuls/id/811371">http://www.kb.cert.org/vuls/id/811371</a> <hr noshade> <p>The CERT Coordination Center thanks NGSSoftware and Microsoft for their contributions to this document.</p> <p></p> <hr noshade> <p>Author: This document was written by <a href="mailto:cert@cert.org?subject=CA-2002-22%20Feedback%20VU%23399260%20VU%23484891%20VU%23225555%20VU%23796313%20VU%23627275">Jeffrey P. Lanza</a>. Your feedback is appreciated. <p></p> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2002 Carnegie Mellon University.</p> <p>Revision History <tt><pre> Jul 29, 2002: Initial release Jul 29, 2002: Updated impact section for VU#484891 and VU#399260 Feb 05, 2003: Updated systems affected and references sections to include URL for Microsoft list of MSDE applications </pre></tt> </p> |