MS Security Bulletin MS02-007

Discussion in 'other security issues & news' started by Zhen-Xjell, Feb 20, 2002.

Thread Status:
Not open for further replies.
  1. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title:      SQL Server Remote Data Source Function Contain
               Unchecked Buffers
    Date:       20 February 2002
    Software:   Microsoft SQL Server
    Impact:     Run code of attacker's choice on server
    Max Risk:   Moderate
    Bulletin:   MS02-007

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS02-007.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    One of the features of Structured Query Language (SQL) in
    SQL Server 7.0 and 2000 is the ability to connect to remote data
    sources. One capability of this feature is the ability to use
    "ad hoc" connections to connect to remote data sources without
    setting up a linked server for less-often used data-sources. This
    is made possible through the use of OLE DB providers, which are
    low-level data source providers. This capability is made possible
    by invoking the OLE DB provider directly by name in a query to
    connect to the remote data source.

    An unchecked buffer exists in the handling of OLE DB provider names
    in ad hoc connections. A buffer overrun could occur as a result and
    could be used to either cause the SQL Server service to fail, or to
    cause code to run in the security context of the SQL Server.
    SQL Server can be configured to run in various security contexts,
    and by default runs as a domain user. The precise privileges the
    attacker could gain would depend on the specific security context
    that the service runs in.

    An attacker could exploit this vulnerability in one of two ways.
    They could attempt to load and execute a database query that calls
    one of the affected functions. Conversely, if a web-site or other
    database front-end were configured to access and process arbitrary
    queries, it could be possible for an attacker to provide inputs that
    would cause the query to call one of the functions in question
    with the appropriate malformed parameters.

    Mitigating Factors:
    ====================
    - The effect of exploiting the vulnerability would depend on the
      specific configuration of the SQL Server service. SQL Server
      can be configured to run in a security context chosen by the
      administrator. By default, this context is as a domain user.
      If the rule of least privilege has been followed, it would
      minimize the amount of damage an attacker could achieve.

    - Both vectors for exploiting the vulnerability could be blocked
      by following best practices. Specifically, untrusted users
      should not be able to load and execute queries of their choice
      on a database server. In addition, publicly accessible database
      queries should filter all inputs prior to processing.

    Risk Rating:
    ============
    - Internet systems: Moderate
    - Intranet systems: Moderate
    - Client systems: Moderate

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
      Security Bulletin at
      http://www.microsoft.com/technet/security/bulletin/ms02-007.asp
      for information on obtaining this patch.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
    ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
    IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES
    WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
    LOSS OF
    BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
    ITS
    SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
    STATES DO
    NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
    OR
    INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQEVAwUBPHRGao0ZSRQxA/UrAQE3AAf/W82BFAXaK8KRa4WRMLJZP5SqwIDAyprL
    98UfEJvvYIuEFYFkRdfw8O8hsHOtnmgMroPo5b29x9H5OvKClsELk39Xh9ECy5+X
    9ZuaxrAiYuBmn1W7ZgaCPqKm+hJb/5hjgIewCnDnvizQsgUSAJ/W+NYqMCX1IB2+
    V+BQLMUntijxiqrG+WL9u6aC1KYfrNMxEGw1FlnGFNDR9gJhuaFFdZibd0lJiSSr
    wsHwXoXyo2/mUdShvx3JCjJmFGw1LQfft4B/AXyI4iuKd8PyOSDXIa8mvRWxYz1i
    eQSM3NXcgnNn+b5EShqjlkqntz6vJJhH9byWZo9GTP6ZRG1lA0x87Q==
    =G7DG
    -----END PGP SIGNATURE-----


    *******************************************************************

    You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

    To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

    To cancel your subscription, click on the following link mailto:1_26065_1E81A08D-A2CD-4E10-8D7F-16D1039270F8_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

    To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26065_1E81A08D-A2CD-4E10-8D7F-16D1039270F8_US@Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail.  You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm

    For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
     
Loading...
Thread Status:
Not open for further replies.