Just for your information. Mit freundlichen Gr|_en, best regards
Daniel Richardy ________European Witango Mainland Distributor __________ SoftDes GmbH - St. Georgener Strasse 13 - D 79111 Freiburg Web: www.softdes.de Mail: [EMAIL PROTECTED] Phone: +49 - 761 - 4 555 666 Fax: +49 - 761 - 4 555 660 _________________ www.witango.net ___________________ ----- Original Message ----- From: "CERT Advisory" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 29, 2002 11:08 PM Subject: CERT Advisory CA-2002-22 Multiple Vulnerabilities in Microsoft SQL Server > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2002-22 Multiple Vulnerabilities in Microsoft SQL Server > > Original release date: July 29, 2002 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Microsoft SQL Server 7.0 > * Microsoft SQL Server 2000 > * Microsoft SQL Server Desktop Engine 2000 > > Overview > > The Microsoft SQL Server contains several serious vulnerabilities that > allow remote attackers to obtain sensitive information, alter database > content, compromise SQL servers, and, in some configurations, > compromise server hosts. These vulnerabilities are public and have > been addressed by Microsoft Security Bulletins, but we believe their > collective severity warrants additional attention. > > I. Description > > Since December 2001, Microsoft has published eight Microsoft Security > Bulletins regarding more than a dozen vulnerabilities in the Microsoft > SQL Server. This document provides information on the five most > serious of these vulnerabilities; references to the remainder are > provided in Appendix B. > > In isolation, many of these vulnerabilities have significant > preconditions that are difficult for an attacker to overcome. However, > when exploited in combination, they allow attackers to gain additional > flexibility and increase their chances for success. In particular, the > privilege escalation vulnerability described in VU#796313 allows an > attacker to weaken the security policy of the SQL server by granting it > the same privileges as the operating system. With full administrative > privileges, a compromised Microsoft SQL Server can be used to take > control of the server host. > > The CERT/CC encourages system administrators to take this opportunity > to review the security of their Microsoft SQL servers and to apply the > appropriate patches from the Microsoft bulletins listed in Appendix B. > > VU#796313 - Microsoft SQL Server service account registry key has weak > permissions that permit escalation of privileges (CAN-2002-0642) > > The Microsoft SQL Server typically runs under a dedicated "service > account" that is defined by system administrators at installation > time. This definition is stored in the Windows registry with > permissions that allow the SQL Server to change the value of the > registry key. As a result, attackers with access to the > "xp_regwrite" extended stored procedure can alter this registry key > and cause the SQL Server to use the LocalSystem account as its > service account. > > Upon rebooting the server host or restarting the SQL service, the SQL > Server will run with the full administrative privileges of the > LocalSystem account. This ability allows a remote attacker to submit > SQL queries that can execute any command on the system with the > privileges of the operating system. > > VU#225555 - Microsoft SQL Server contains buffer overflow in > pwdencrypt() function (CAN-2002-0624) > > The Microsoft SQL Server provides multiple methods for users to > authenticate to SQL databases. When SQL Server Authentication is > used, the username and password of each database user is stored in a > database on the SQL server. When users supply a password to the > server using this method, a function named pwdencrypt() is > responsible for encrypting the user-supplied password so that it can > be compared to the encrypted password stored on the SQL server. > > There is a buffer overflow in pwdencrypt() that allows remote > attackers to execute arbitrary code on the SQL server by supplying a > crafted password value. Successful exploitation of this > vulnerability requires knowledge of a valid username and will cause > the supplied code to execute with the privileges of the SQL service > account. > > VU#627275 - Microsoft SQL Server extended stored procedures contain > buffer overflows (CAN-2002-0154) > > Microsoft SQL Server provides a scripting construct known as an > "extended stored procedure" that can execute a collection of server > commands together. Several of the extended stored procedures > included with the Microsoft SQL Server contain buffer overflow > vulnerabilities. These procedures provide increased functionality > for database applications, allowing them to access operating system > or network resources. > > Parameters are passed to extended stored procedures via an API that > specifies the actual and maximum length of various parameter data > types. Some of the extended stored procedures fail to adequately > validate the length of input parameters, resulting in stack buffer > overflow conditions. > > Since some of the vulnerable procedures are configured by default to > allow public access, it is possible for an unauthenticated attacker > to exploit one or more of these buffer overflows. SQL Server > databases are commonly used in web applications, so the vulnerable > procedures may be accessible via the Internet. Microsoft Security > Bulletin MS02-020 states > > An attacker could exploit this vulnerability in one of two ways. > Firstly, the attacker could attempt to load and execute a database > query that calls one of the affected functions. Secondly, if a > web-site or other database front-end were configured to access and > process arbitrary queries, it could be possible for the attacker to > provide inputs that would cause the query to call one of the > functions in question with the appropriate malformed parameters. > > VU#399260 - Microsoft SQL Server 2000 contains heap buffer overflow in > SQL Server Resolution Service (CAN-2002-0649) > > The SQL Server Resolution Service (SSRS) was introduced in Microsoft > SQL Server 2000 to provide referral services for multiple server > instances running on the same machine. The service listens for > requests on UDP port 1434 and returns the IP address and port number > of the SQL server instance that provides access to the requested > database. > > The SSRS contains a heap buffer overflow that allows unauthenticated > remote attackers to execute arbitrary code by sending a crafted > request to port 1434/udp. The code within such a request will be > executed by the server host with the privileges of the SQL Server > service account. > > VU#484891 - Microsoft SQL Server 2000 contains stack buffer overflow in > SQL Server Resolution Service (CAN-2002-0649) > > The SSRS also contains a stack buffer overflow that allows > unauthenticated remote attackers to execute arbitrary code by sending > a crafted request to port 1434/udp. The code within such a request > will be executed by the server host with the privileges of the SQL > Server service account. > > II. Impact > > VU#796313 - Microsoft SQL Server service account registry key has weak > permissions that permit escalation of privileges > > As a precondition, this vulnerability requires the ability to modify > the SQL service account registry key (for example, via the > "xp_regwrite" extended stored procedure). Attackers must convince an > administrator to grant this access, or they must obtain it by > exploiting one of the vulnerabilities listed in this advisory. > > This vulnerability allows attackers to weaken the security policy of > the SQL Server by elevating its privileges and causing it to run in > the LocalSystem security context. As a side effect, it increases the > severity of the other vulnerabilities listed in this advisory and may > enable attackers to compromise the server host as well. > > VU#225555 - Microsoft SQL Server contains buffer overflow in > pwdencrypt() function > > This vulnerability allows remote attackers with knowledge of a valid > username to execute arbitrary code with the privileges of the SQL > service account. > > VU#627275 - Microsoft SQL Server extended stored procedures contain > buffer overflows > > This vulnerability allows unauthenticated remote attackers to execute > arbitrary code with the privileges of the SQL service account. > > VU#399260 - Microsoft SQL Server 2000 contains heap buffer overflow in > SQL Server Resolution Service > > This vulnerability allows remote attackers to execute arbitrary code > with the privileges of the SQL service account. > > VU#484891 - Microsoft SQL Server 2000 contains stack buffer overflow in > SQL Server Resolution Service > > This vulnerability allows remote attackers to execute arbitrary code > with the privileges of the SQL service account. > > III. Solution > > Apply a patch from Microsoft > > VU#796313 - Microsoft SQL Server service account registry key has weak > permissions that permit escalation of privileges > > VU#225555 - Microsoft SQL Server contains buffer overflow in > pwdencrypt() function > > Microsoft has published Security Bulletin MS02-034 to address these > vulnerabilities. For more information, please see > > http://www.microsoft.com/technet/security/bulletin/MS02-034.asp > > VU#627275 - Microsoft SQL Server extended stored procedures contain > buffer overflows > > Microsoft has published Security Bulletin MS02-020 to address this > vulnerability. For more information, please see > > http://www.microsoft.com/technet/security/bulletin/MS02-020.asp > > VU#399260 - Microsoft SQL Server 2000 contains heap buffer overflow in > SQL Server Resolution Service > > VU#484891 - Microsoft SQL Server 2000 contains stack buffer overflow in > SQL Server Resolution Service > > Microsoft has published Security Bulletin MS02-039 to address these > vulnerabilities. For more information, please see > > http://www.microsoft.com/technet/security/bulletin/MS02-039.asp > > Block external access to Microsoft SQL Server ports > > As a workaround, it is possible to limit exposure to these > vulnerabilities by restricting external access to Microsoft SQL Servers > on ports 1433/tcp, 1433/udp, 1434/tcp, and 1434/udp. Note that > VU#399260 and VU#484891 can be exploited using UDP packets with forged > source addresses that appear to belong to legitimate services, so > system administrators should restrict all incoming packets sent to > 1434/udp. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Appendix B. - CERT Vulnerability Notes sorted by Microsoft Security Bulletin > ID > > This appendix contains a list of CERT Vulnerability Notes sorted in > reverse chronological order by their corresponding Microsoft Security > Bulletin IDs. System administrators should use this list to ensure > that each of the patches listed in these bulletins have been applied. > > MS02-039 : Buffer Overruns in SQL Server 2000 Resolution Service Could > Enable Code Execution (Q323875) > > VU#399260 - Microsoft SQL Server 2000 contains heap buffer > overflow in SQL Server Resolution Service > > VU#484891 - Microsoft SQL Server 2000 contains stack buffer > overflow in SQL Server Resolution Service > > VU#370308 - Microsoft SQL Server 2000 contains denial-of-service > vulnerability in SQL Server Resolution Service > > MS02-038 : Unchecked Buffer in SQL Server 2000 Utilities Could Allow > Code Execution (Q316333) > > VU#279323 - Microsoft SQL Server contains buffer overflows in > several Database Consistency Checkers > > VU#508387 - Microsoft SQL Server contains SQL injection > vulnerability in replication stored procedures > > MS02-035 : SQL Server Installation Process May Leave Passwords on > System (Q263968) > > VU#338195 - Microsoft SQL Server installation process leaves > sensitive information on system > > MS02-034 : Cumulative Patch for SQL Server (Q316333) > > VU#225555 - Microsoft SQL Server contains buffer overflow in > pwdencrypt() function > > VU#682620 - Microsoft SQL Server contains buffer overflow in > code used to process "BULK INSERT" queries > > VU#796313 - Microsoft SQL Server service account registry key > has weak permissions that permit escalation of privileges > > MS02-030 : Unchecked Buffer in SQLXML Could Lead to Code Execution > (Q321911) > > VU#811371 - Microsoft SQLXML ISAPI filter vulnerable to buffer > overflow via contenttype parameter > > VU#139931 - Microsoft SQLXML HTTP components vulnerable to > cross-site scripting via root parameter > > MS02-020 : SQL Extended Procedure Functions Contain Unchecked Buffers > (Q319507) > > VU#627275 - Microsoft SQL Server extended stored procedures > contain buffer overflows > > MS02-007 : SQL Server Remote Data Source Function Contain Unchecked > Buffers > > VU#619707 - Microsoft SQL Server contains buffer overflows in > openrowset and opendatasource macros > > MS01-060 : SQL Server Text Formatting Functions Contain Unchecked > Buffers > > VU#700575 - Buffer overflows in Microsoft SQL Server 7.0 and SQL > Server 2000 > > Appendix C. - References > > http://www.microsoft.com/technet/security/bulletin/MS02-007.asp > http://www.microsoft.com/technet/security/bulletin/MS02-020.asp > http://www.microsoft.com/technet/security/bulletin/MS02-030.asp > http://www.microsoft.com/technet/security/bulletin/MS02-034.asp > http://www.microsoft.com/technet/security/bulletin/MS02-035.asp > http://www.microsoft.com/technet/security/bulletin/MS02-038.asp > http://www.microsoft.com/technet/security/bulletin/MS02-039.asp > http://www.microsoft.com/technet/security/bulletin/MS01-060.asp > http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 > http://support.microsoft.com/support/misc/kblookup.asp?id=Q319507 > http://support.microsoft.com/support/misc/kblookup.asp?id=Q323875 > http://www.appsecinc.com/resources/alerts/mssql/02-0000.html > http://www.nextgenss.com/vna/ms-sql.txt > http://www.theregister.co.uk/content/4/26086.html > http://www.securityfocus.com/bid/5014 > http://www.securityfocus.com/bid/5204 > http://www.securityfocus.com/bid/5205 > http://www.kb.cert.org/vuls/id/139931 > http://www.kb.cert.org/vuls/id/225555 > http://www.kb.cert.org/vuls/id/279323 > http://www.kb.cert.org/vuls/id/338195 > http://www.kb.cert.org/vuls/id/370308 > http://www.kb.cert.org/vuls/id/399260 > http://www.kb.cert.org/vuls/id/484891 > http://www.kb.cert.org/vuls/id/508387 > http://www.kb.cert.org/vuls/id/619707 > http://www.kb.cert.org/vuls/id/627275 > http://www.kb.cert.org/vuls/id/682620 > http://www.kb.cert.org/vuls/id/700575 > http://www.kb.cert.org/vuls/id/796313 > http://www.kb.cert.org/vuls/id/811371 > _________________________________________________________________ > > The CERT Coordination Center thanks NGSSoftware and Microsoft for their > contributions to this document. > _________________________________________________________________ > > Author: This document was written by Jeffrey P. Lanza. Your feedback is > appreciated. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2002-22.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to [EMAIL PROTECTED] Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie Mellon > University makes no warranties of any kind, either expressed or implied > as to any matter including, but not limited to, warranty of fitness for > a particular purpose or merchantability, exclusivity or results > obtained from use of the material. Carnegie Mellon University does not > make any warranty of any kind with respect to freedom from patent, > trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History > > Jul 29, 2002: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPUWmOqCVPMXQI2HJAQHTSAQAkzNjKa8E44TnM1L8JK+hl0kqVo5WAfGI > cTaqSkE1h8jkLFugMouPNjRQgdvQj2KRQ5A1XDLl19ciylB52aDwLu3Fpive1wwx > LCqBg0FpvyQC+v9ppk3W8/835Z/3D4/ZdnJPDFyiT1bpz5oZ1Lq4SBWj3+OUd9yb > hZ21kTi6+n4= > =JslD > -----END PGP SIGNATURE----- > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
