Microsoft SQL Server

Impact

Background

Some of the features included in Microsoft SQL Server 7.0 and 2000 are:

• A number of extended stored procedures, which are external programs executed in the same way as normal stored procedures.
• The ability to use ad hoc connections to access remote data sources without setting up a linked server. This is made possible through the use of low-level data source providers called OLE DB providers.
• The ability to use either the Windows operating system's authentication or SQL Server authentication, in which user account information is stored in SQL Server's own tables.
• Bulk data insertion, whereby certain users are permitted to copy data from data files to database tables in a user-specified format.
• Database Consistency Checkers, which allow SQL administrators to perform common tasks such as defragmenting databases and repairing minor errors.

The Problems

The following vulnerabilities in SQL Server could allow a local or, in some cases, a remote attacker to crash the SQL Server or execute arbitrary commands:

• 4/18/02
  CAN 2002-0154
  A buffer overflow common to several of the extended stored procedures in SQL Server 7.0 and 2000.
• 4/18/02
  CAN 2002-0056
  A buffer overflow in the handling of OLE DB provider names in ad hoc connections in SQL Server 7.0 and 2000.
• 6/24/02
  CVE 2002-0859
  A buffer overflow in SQL Server 2000's OpenDataSource function. This vulnerability is only exploitable through the Microsoft Jet Engine.
• 7/11/02
  CAN 2002-0624
  A buffer overflow in the encryption of user credentials using SQL Server authentication in SQL Server 2000 and MSDE 2000.
• 7/11/02
  CAN 2002-0641
  A buffer overflow in bulk data insertion in SQL Server 2000 and MSDE 2000. This vulnerability can only be exploited by users who have been granted permission to use bulk insertion; specifically, Bulk Admins and full administrators.
• 7/26/02
  CAN 2002-0644
  A buffer overflow in several Database Consistency Checkers. This vulnerability can only be exploited by users who have permission to execute the checkers; specifically, system administrators or members of the db_owner and db_ddladmin roles.
• 7/26/02
  CAN 2002-0645
  An SQL injection vulnerability in two of the stored procedures used in database replication. This vulnerability can only be executed by users who are able to log onto the SQL server interactively.
• 8/19/02
  CAN 2002-0721
  CAN 2002-0982
  Weak permissions on several extended stored procedures which could be made to run with administrative privileges on the database by non-privileged users.
• 10/3/02
  CAN 2002-1123
  A buffer overflow in the code which processes user authentication in SQL Server 2000 and MSDE 2000.
• 10/3/02
  CAN 2002-1137
  A buffer overflow in one of the Database Console Commands (DBCCs) included in SQL Server 7.0 and 2000.
• 10/3/02
  CAN 2002-1138
  A flaw in the job scheduling procedure in SQL Server 7.0 and 2000 allowing an unprivileged user to schedule a job which can write files with the privileges of the SQL Server Agent.
• 10/3/02
  The ability by unprivileged users to run ad-hoc queries against non-SQL OLE DB data sources, creating the potential for attackers to misuse poorly coded data providers.
• 10/17/02
  CAN 2002-1145
  A privilege elevation vulnerability resulting from the combination of one stored procedure, an extended stored procedure, and weak permissions on a table.
• 10/21/02
  CVE 2002-0186
  CVE 2002-0187
  Two vulnerabilities in the SQLXML component of SQL Server 2000: a buffer overflow in the ISAPI extension and a script injection vulnerability in XML tags.

Microsoft SQL Server 7.0 prior to service pack 4, Microsoft SQL Server 2000 prior to service pack 3, and MSDE 2000 are affected by these vulnerabilities if unpatched. Earlier versions may also be vulnerable.

CVE 1999-0999
CVE 2000-0202
CVE 2000-0402
CVE 2000-0485
CVE 2000-0603
CAN 2000-1081
CAN 2000-1082
CAN 2000-1083
CAN 2000-1084
CAN 2000-1085
CAN 2000-1086
CAN 2000-1087
CAN 2000-1088
CVE 2001-0344
CAN 2001-0542
CVE 2001-0879
Many older vulnerabilities in Microsoft SQL Server 7.0 and 2000 could also allow a remote attacker to execute commands or crash the service.

7/11/02
CVE 2002-0642
Due to incorrect permissions on the registry key which controls the SQL Server service account, an attacker could elevate the privileges with which SQL Server runs. Then, if the attacker has sufficient privileges to load and run SQL queries on the system, he or she could execute arbitrary commands at the chosen privilege level by passing the commands to the operating system through SQL statements. In the worst case, this could allow a local user to execute arbitrary commands with SYSTEM privileges. SQL Server 2000 prior to Service Pack 3 and MSDE 2000 are affected by this vulnerability.

7/25/02
SQL Server 2000 introduces the ability to host multiple instances of SQL Server on a single physical machine. Only one SQL Server instance can use the default SQL Server session port (TCP 1433). Each additional instance is assigned another port to which it listens. The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to identify the port used by a particular SQL Server instance.

There are several security vulnerabilities in the SQL Server Resolution Service, including buffer overrun vulnerabilities and a denial-of-service vulnerability:

Buffer Overruns in SQL Server Resolution Service:
CAN 2002-0649
CAN 2002-0729
The buffer overrun vulnerabilities are exploited by sending a specially crafted packet to the Resolution Service, thereby causing portions of system memory to be overwritten. Consequences could range from failure of the SQL Server service to allowing the attacker to run code in the security context of the SQL Server service. These vulnerabilities are of particular concern because a worm which exploits them has been released on the Internet.

Denial of Service via SQL Server Resolution Service:
CVE 2002-0650
The denial of service vulnerability involves the keep-alive mechanism SQL uses to distinguish between active and passive instances. It is possible to create a keep-alive packet which, when sent to the SQL Server Resolution Service, causes SQL Server 2000 to reply with a keep-alive packet that has identical content. If an attacker were to spoof the sender address of such a packet to be from one SQL Server 2000 system and send it to another SQL Server 2000 system, the two systems would enter an unending cycle of sending the same packet back and forth to each other, thereby consuming most or all of the available bandwidth on the two machines.

8/1/02
CVE 2002-0695
Microsoft Data Access Components (MDAC) is a collection of components used to provide database connectivity on Windows platforms. There is a security vulnerability in the MDAC component that provides underlying support for the Transact-SQL OpenRowSet command. If a query were to call OpenRowSet using a specially malformed parameter, it is possible to overrun the buffer in the underlying function. This could cause the SQL Server to fail or cause the SQL Server service to take actions dictated by the attacker, with the privileges of the affected SQL Server. This vulnerability can only be exploited by an attacker who has already gained the ability to submit and execute ad-hoc database queries. Even though MDAC ships with all Windows operating systems, the vulnerability can only be exploited on SQL Servers. MDAC versions 2.5, 2.6, and 2.7, along with SQL Server versions 7 and 2000 are known to be vulnerable.

CAN 2000-0199
The administrative login and password for a registered SQL server in Enterprise Manager for Microsoft SQL Server 7.0 is stored in the registry with weak encryption if an SQL user account is used instead of a Windows domain user, and the "always prompt for login and password" option is not selected. After a database administrator logs in from a workstation, an attacker on the workstation could view the USER.DAT or NTUSER.DAT file to obtain the encrypted password, and then reverse the encryption to gain the true administrative password for the SQL server.

Resolution

To correct the SQL Server 2000 Resolution Service vulnerabilities, download the SQL Server 2000 Service Pack 2 Security Patch referenced in Microsoft Security Bulletin 02-039. You may also want to block UDP port 1434 at the firewall, if feasible (see MS02-039 for details.)

To correct the MDAC buffer overflow vulnerability, database administrators using SQL Server 7.0 or 2000 should apply the MDAC patch referenced in Microsoft Security Bulletin 02-040.

If using SQL Server user accounts instead of Windows domain user accounts, Microsoft recommends using the "always prompt for login name and password" option so that the weakly encrypted administrative password will not be stored on the hard drive.

Where can I read more about this?

For details on specific vulnerabilities, see Microsoft Security Bulletins 02-061, 02-056, 02-043, 02-040, 02-039, 02-038, 02-034, 02-030, 02-020, 02-007, 01-060, 01-032, 00-092, 00-048, 00-041, 00-035, 00-014, 99-059, CIAC Bulletins M-094 and K-026, and NGSSoftware Advisories #NISR25072002 and #NISR22002002A.

For more information on the worm which exploits buffer overflows in the SQL Server Resolution Service, see CERT Advisory 2003-04.