exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ms02-056

ms02-056
Posted Oct 4, 2002
Site microsoft.com

Microsoft Security Advisory MS02-056 - A Cumulative Patch for SQL Server 7.0, Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server 2000, and Microsoft Desktop Engine (MSDE) 2000 fix four vulnerabilities, some of which allow attackers to take complete control over the system.

tags | vulnerability
SHA-256 | 3bf76166be49ef8d4f9d411cefac284e9a953d42055775e31b63ba8cd2072d44

ms02-056

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Cumulative Patch for SQL Server (Q316333)
Date: 02 October 2002
Software: Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Impact: Four vulnerabilities, the most serious of which could
enable an attacker to gain control over an affected
server.
Max Risk: Critical
Bulletin: MS02-056

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, and

Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE)
2000. In addition, it eliminates four newly discovered vulner-
abilities.
* A buffer overrun in a section of code in SQL Server 2000
(and MSDE 2000) associated with user authentication. By
sending a specially malformed login request to an affected
server, an attacker could either cause the server to fail or
gain the ability to overwrite memory on the server, thereby
potentially running code on the server in the security context
of the SQL Server service. It would not be necessary for the
user to successfully authenticate to the server or to be able
to issue direct commands to it in order to exploit the
vulnerability.
* A buffer overrun vulnerability that occurs in one of the
Database Console Commands (DBCCs) that ship as part of SQL
Server 7.0 and 2000. In the most serious case, exploiting
this vulnerability would enable an attacker to run code in
the context of the SQL Server service, thereby giving the
attacker complete control over all databases on the server.
* A vulnerability associated with scheduled jobs in SQL Server
7.0 and 2000. SQL Server allows unprivileged users to create
scheduled jobs that will be executed by the SQL Server Agent.
By design, the SQL Server Agent should only perform job
steps that are appropriate for the requesting user's priv-
ileges. However, when a job step requests that an output file
be created, the SQL Server Agent does so using its own priv-
ileges rather than the job owners privileges. This creates a
situation in which an unprivileged user could submit a job
that would create a file containing valid operating system
commands in another user's Startup folder, or simply over-
write system files in order to disrupt system operation

The patch also changes the operation of SQL Server, to prevent
non-administrative users from running ad hoc queries against
non-SQL OLEDB data sources. Although the current operation does
not represent a security vulnerability, the new operation makes
it more difficult to misuse poorly coded data providers that might
be installed on the server.

Mitigating Factors:
====================
Unchecked buffer in SQL Server 2000 authentication function:
* This vulnerability on affects SQL Server 2000 and MSDE 2000.
Neither SQL Server 7.0 nor MSDE 1.0 are affected.
* If the SQL Server port (port 1433) were blocked at the firewall,
the vulnerability could not be exploited from the Internet.
* Exploiting this vulnerability would allow the attacker to
escalate privileges to the level of the SQL Server service
account. By default, the service runs with the privileges of a
domain user, rather than with system privileges.
Unchecked buffer in Database Console Commands:
* Exploiting this vulnerability would allow the attacker to
escalate privileges to the level of the SQL Server service
account. By default, the service runs with the privileges of a
domain user, rather than with system privileges.
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL Server or has permissions
to execute queries directly to the server
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL Server.
Flaw in output file handling for scheduled jobs:
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL server.

Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-056.asp
for information on obtaining this patch.

Acknowledgment:
===================
* Issue regarding ad hoc queries against non-SQL OLEDB data
sources:
sk@scan-associates.net and pokleyzz@scan-associates.net
* Unchecked buffer in Database Console Commands:
Martin Rakhmanoff (jimmers@yandex.ru)


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPZtnnI0ZSRQxA/UrAQGxEgf/SQqcWOkweSv3JcrA8hW1clpy4GE6u9/Q
wS5o7oPW2gI6K1Ai62Rz/k00AgeVrwZW4tiIMoU7wCyJattef0VNABM4D3b2Bksg
uOYjdjvfohAsKr3kKP6tmKWcLqtYAkfueYDZqhIFnWhl8nu1IKnY9Ab0+SyRl3um
q8P7I7wPPZvzcM6MTrh1nOfJhk1M5ELJhKTHkfo60Flc/iPqccZiBwmM1btgzs8x
udcOWIMc6P1AgqaCSL2Z0cFD+fbyaFLZS7vW1vo1iwe+6F5EnffKUajV5rDh2JaL
ncKy18yRbo1vgMO7Jnxmr/eVEaaapH7k7WVDELDTKZbArig+O9aukg==
=XzIw
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close