From advisories@atstake.com Wed Jul 23 18:25:08 2003 From: "@stake Advisories" To: vulnwatch@vulnwatch.org Date: Wed, 23 Jul 2003 17:10:49 -0400 Subject: [VulnWatch] Microsoft SQL Server local code execution [ The following text is in the "ISO-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake Inc. www.atstake.com Security Advisory Advisory Name: Microsoft SQL Server local code execution Release Date: 07/23/2003 Application: Microsoft SQL Server 7, 2000, MSDE Platform: Windows NT/2000/XP Severity: Local code execution / Denial of Service Author: Andreas Junestam (andreas@atstake.com) Vendor Status: Microsoft has patch available CVE Candidate: CAN-2003-0232 Reference: www.atstake.com/research/advisories/2003/a072303-3.txt Overview: Microsoft SQL Server uses LPC (Local Procedure Calls) to implement some of its inter-processes communication. The port providing this service can be used by anyone. By sending a specially crafted message to SQL Server through this port, an attacker can overwrite certain parts of memory and thus execute code using the SQL Server's credentials. Detailed Description: Microsoft SQL Server uses different ways of communicating with a client locally, one of them is over a LPC port. This port can by used by any local user to send information to the SQL Server service. By sending a specially crafted message to this port it is possible to overwrite information stored on the stack. This would allow an attacker to execute code under SQL Server's credentials thereby escalating privileges. This would then allow the user to read and write access to the database files. If the SQL Server is running under the Administrator or Local System account this would enable system compromise. As with most SQL Server issues MSDE is effected. MSDE is included in many Microsoft and non-Microsoft products. A list of products that includes MSDE is here: http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13 Vendor Response: Microsoft was contacted on 02/05/2003 Microsoft has a bulletin and patch available: http://www.microsoft.com/technet/security/bulletin/MS03-031.asp Recommendation: Install the vendor patch. If your SQL Server is running under the Administrator or Local System account consider running SQL Server under a less privileged account. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0232 @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPx75pUe9kNIfAm4yEQKqjwCgjN94EPfRFvtLd/4CHGjbW6QU/XIAoLKp teXQzo5cqxIZY2OcMil/n9AC =iMTE -----END PGP SIGNATURE-----