Some of the features included in Microsoft SQL Server 7.0 and 2000 are:
The following vulnerabilities in SQL Server could allow a local or, in some cases, a remote attacker to crash the SQL Server or execute arbitrary commands:
Microsoft SQL Server 7.0 prior to service pack 4, Microsoft SQL Server 2000 prior to service pack 3, and MSDE 2000 are affected by these vulnerabilities if unpatched. Earlier versions may also be vulnerable.
CVE 1999-0999
CVE 2000-0202
CVE 2000-0402
CVE 2000-0485
CVE 2000-0603
CAN 2000-1081
CAN 2000-1082
CAN 2000-1083
CAN 2000-1084
CAN 2000-1085
CAN 2000-1086
CAN 2000-1087
CAN 2000-1088
CVE 2001-0344
CAN 2001-0542
CVE 2001-0879
Many older vulnerabilities in Microsoft SQL Server 7.0 and
2000 could also allow a remote attacker to execute commands
or crash the service.
7/11/02
CVE 2002-0642
Due to incorrect permissions on the registry key which
controls the SQL Server service account, an attacker could
elevate the privileges with which SQL Server runs. Then,
if the attacker has sufficient privileges to load and run
SQL queries on the system, he or she could execute arbitrary
commands at the chosen privilege level by passing the
commands to the operating system through SQL
statements. In the worst case, this could allow a local
user to execute arbitrary commands with SYSTEM
privileges. SQL Server 2000 prior to Service Pack 3 and MSDE
2000 are affected by this vulnerability.
7/25/02
SQL Server 2000 introduces the ability to host multiple instances of SQL
Server on a single physical machine. Only one SQL Server instance can use
the default SQL Server session port (TCP 1433). Each additional instance
is assigned another port to which it listens. The SQL Server
Resolution Service, which operates on UDP port 1434, provides a way for
clients to identify the port used by a particular SQL Server instance.
There are several security vulnerabilities in the SQL Server Resolution Service, including buffer overrun vulnerabilities and a denial-of-service vulnerability:
Buffer Overruns in SQL Server Resolution Service:
CAN 2002-0649
CAN 2002-0729
The buffer
overrun vulnerabilities are exploited by sending a specially crafted
packet to the Resolution Service, thereby causing portions of system
memory to be overwritten. Consequences could range from failure of
the SQL Server service to allowing the attacker to run code in the
security context of the SQL Server service. These vulnerabilities
are of particular concern because a worm which exploits them
has been released on the Internet.
Denial of Service via SQL Server Resolution Service:
CVE 2002-0650
The denial of service
vulnerability involves the keep-alive mechanism SQL uses to distinguish
between active and passive instances. It is possible to create a
keep-alive packet which, when sent to the SQL Server Resolution Service,
causes SQL Server 2000 to reply with a keep-alive packet that has identical
content. If an attacker were to spoof the sender address of such a packet
to be from one SQL Server 2000 system and send it to another SQL Server
2000 system, the two systems would enter an unending cycle of sending the
same packet back and forth to each other, thereby consuming most or all of
the available bandwidth on the two machines.
8/1/02
CVE 2002-0695
Microsoft Data Access Components (MDAC) is a collection of components used
to provide database connectivity on Windows platforms. There is a security
vulnerability in the MDAC component that provides underlying support for
the Transact-SQL OpenRowSet command. If a query were to call OpenRowSet
using a specially malformed parameter, it is possible to overrun the buffer
in the underlying function. This could cause the SQL Server to fail or
cause the SQL Server service to take actions dictated by the attacker, with
the privileges of the affected SQL Server. This vulnerability can only
be exploited by an attacker who has already gained the ability to submit
and execute ad-hoc database queries. Even though MDAC ships with all
Windows operating systems, the vulnerability can only be exploited on SQL
Servers. MDAC versions 2.5, 2.6, and 2.7, along with SQL Server versions
7 and 2000 are known to be vulnerable.
CAN 2000-0199
The administrative login and password for a registered SQL
server in Enterprise Manager for Microsoft SQL Server 7.0 is
stored in the registry with weak encryption if an SQL user
account is used instead of a Windows domain user, and the
"always prompt for login and password" option is not
selected. After a database administrator logs in from a
workstation, an attacker on the workstation could view the
USER.DAT or NTUSER.DAT file
to obtain the encrypted password, and then reverse the
encryption to gain the true administrative password for the
SQL server.
To correct the SQL Server 2000 Resolution Service vulnerabilities, download the SQL Server 2000 Service Pack 2 Security Patch referenced in Microsoft Security Bulletin 02-039. You may also want to block UDP port 1434 at the firewall, if feasible (see MS02-039 for details.)
To correct the MDAC buffer overflow vulnerability, database administrators using SQL Server 7.0 or 2000 should apply the MDAC patch referenced in Microsoft Security Bulletin 02-040.
If using SQL Server user accounts instead of Windows domain user accounts, Microsoft recommends using the "always prompt for login name and password" option so that the weakly encrypted administrative password will not be stored on the hard drive.
For details on specific vulnerabilities, see Microsoft Security Bulletins 02-061, 02-056, 02-043, 02-040, 02-039, 02-038, 02-034, 02-030, 02-020, 02-007, 01-060, 01-032, 00-092, 00-048, 00-041, 00-035, 00-014, 99-059, CIAC Bulletins M-094 and K-026, and NGSSoftware Advisories #NISR25072002 and #NISR22002002A.
For more information on the worm which exploits buffer overflows in the SQL Server Resolution Service, see CERT Advisory 2003-04.