From 0_29486_AE7F5476-145E-455E-9095-807DF5278AEC_US@Newsletters.Microsoft.com Sat Apr 20 15:31:59 2002 From: Microsoft <0_29486_AE7F5476-145E-455E-9095-807DF5278AEC_US@Newsletters.Microsoft.com> To: bugtraq@securityfocus.com Date: Wed, 17 Apr 2002 18:04:06 -0700 Reply-To: 3_29486_AE7F5476-145E-455E-9095-807DF5278AEC_US@Newsletters.Microsoft.com Subject: Microsoft Security Bulletin MS02-020:SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507) Date: 17 April 2002 Software: Microsoft SQL Server Impact: Run Code of Attacker's Choice Max Risk: Moderate Bulletin: MS02-020 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-020.asp. - ---------------------------------------------------------------------- Issue: ====== SQL Server 7.0 and 2000 provide for extended stored procedures, which are external routines written in a programming language such as C. These procedures appear to users as normal stored procedures and are executed in the same way. SQL Server 7.0 and 2000 include a number of extended stored procedures which are used for various helper functions Several of the Microsoft-provided extended stored procedures have a flaw in common - namely, they fail to perform input validation correctly, and are susceptible to buffer overruns as a result exploiting the flaw could enable an attacker to either cause the SQL Server service to fail, or to cause code to run in the security context in which SQL Server is running. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. Mitigating Factors: ==================== - The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achieve. - The vector for exploiting this vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-020.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPL3C440ZSRQxA/UrAQFzrQgAoPk7hIz9vDDsDoK93hb5EQ86FytDYOe2 FDC6be9BfRKyb46AJjmjwea+Z9tdObcWyq11eF8zzAI8VhKg7b9CsBhw+tSDAz/T WZsCmqxhoMChj0ApfJq/Oqr1Qz0mtc0ylSiCXvhMRN/I/hVXseYtrZF9ofV75P3j zJrtRuz/2PUsGm8cq4Ce6YJRrnM9Ctmmvs3ar8CQFSR0Hb9+O6/m/buIcZn3XyEZ 5RTdlJK31Y3oe9CecIBRIuvIoDbMP/IqQ/P44wC1uaEv/UISJIC0slhicCkthFMX glzMBNOqIETMDBzc1xbfNu0e1Pkmg6Xm80oEZpAPNUXBL6/+ouUGYw== =JIjX -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To cancel your subscription, click on the following link mailto:1_29486_AE7F5476-145E-455E-9095-807DF5278AEC_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail. To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_29486_AE7F5476-145E-455E-9095-807DF5278AEC_US@Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.