Reported July 23, 2003, by
Microsoft.
VERSIONS
AFFECTED
Microsoft SQL Server
2000 and 7.0
Microsoft SQL Server
2000 Desktop Engine (MSDE 2000)
Microsoft Data Engine (MSDE)
1.0
DESCRIPTION
Three new vulnerabilities
exist in SQL Server 2000, SQL Server 7.0, MSDE 2000, and MSDE 1.0, the most
serious of which can result in the execution of arbitrary code on the vulnerable
computer. These vulnerabilities are as follows:
Named Pipe Hijacking
Named Pipe Denial of
Service
SQL Server Buffer
Overrun
VENDOR
RESPONSE
Microsoft has released Security Bulletin
MS03-031, "Cumulative Patch for Microsoft SQL Server (815495)," to address
this vulnerability and recommends that affected users apply the appropriate
patch mentioned in the bulletin.
CREDIT
Discovered by
Andreas Junstream of
@Stake.
A flaw exists in the checking method for the named pipe. The flaw can permit
an attacker local to the SQL Server system to gain control of the named pipe
during another client's authenticated logon. The attacker could then gain
control of the named pipe at the same permission level as the user who is
attempting to connect. If the user has a higher level of permissions than the
attacker, the attacker will assume those rights when the named pipe is
compromised.
In the same named-pipes scenario as above, an unauthenticated user who is
local to the intranet can send a large packet to a specific named pipe on
which the SQL Server system is listening and cause it to become unresponsive.
This scenario can create a Denial of Service (DoS) condition that would
require a server restart to restore functionality.
A flaw in a specific Windows function might permit an authenticated user--with
direct access to log on to the SQL Server system --to create a specially
crafted packet that could cause a buffer overrun when sent to the system's
listening local procedure call (LPC) port. This flaw can allow a user with
limited system permissions to elevate his or her permissions to the level of
the SQL Server service account or cause arbitrary code to run.
Multiple Vulnerabilities In Microsoft SQL
0 comments
Hide comments