[15708] in bugtraq
Re: Microsoft Security Bulletin (MS00-048)
daemon@ATHENA.MIT.EDU (Jenik)
Mon Jul 10 04:47:10 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_002A_01BFE91F.1B8FCC50"
Message-Id: <002d01bfe90e$58ca9a70$0100a8c0@pcjenik>
Date: Sat, 8 Jul 2000 20:57:20 +0200
Reply-To: Jenik <jenik@iiclub.co.il>
From: Jenik <jenik@CPOL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_002A_01BFE91F.1B8FCC50
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Microsoft had better mention "xp_cmdshell" function in their faq! :)=20
The problem is very big. Most sites that running MS SQL server, web =
server and server side scripts will allow users to insert data into SQL =
query strings. (any kind of search engines, etc). This bug will allow =
not only gain access to DB data, but also to execute anything locally on =
server.=20
Jenik.
----- Original Message -----=20
From: "Microsoft Product Security" <secnotif@MICROSOFT.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Friday, July 07, 2000 10:16 PM
Subject: Microsoft Security Bulletin (MS00-048)
> The following is a Security Bulletin from the Microsoft Product =
Security
> Notification Service.
>=20
> Please do not reply to this message, as it was sent from an =
unattended
> mailbox.
> ********************************
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
>=20
> Microsoft Security Bulletin (MS00-048)
> - ---------------------------------------
>=20
> Patch Available for "Stored Procedure Permissions" Vulnerability
> Originally Posted: July 7, 2000
>=20
> Summary
> =3D=3D=3D=3D=3D=3D=3D
> Microsoft has released a patch that eliminates a security
> vulnerability in Microsoft(r) SQL Server 7.0. The vulnerability could
> allow a malicious user to run a database stored procedure without
> proper permissions.
>=20
> Frequently asked questions regarding this vulnerability and the patch
> can be found at:
> http://www.microsoft.com/technet/security/bulletin/fq00-048.asp
>=20
> Issue
> =3D=3D=3D=3D=3D=3D
> Execute permission checks on stored procedures may be bypassed when a
> stored procedure is referenced from a temporary stored procedure.
> This omission would allow a malicious user to run a stored procedure
> that, by design, he should not be able to access.
>=20
> The vulnerability only occurs under a fairly restricted set of
> conditions:
>=20
> - The database and stored procedure must be owned by the system
> administrator (sa) login account.
>=20
> - The malicious user must be able to authenticate to the SQL Server,
> and have user access to the referenced database.
>=20
> Affected Software Versions
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> Microsoft SQL Server 7.0
>=20
> Patch Availability
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> - Intel:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D22470
> - Alpha:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D22469
>=20
> NOTE: Additional security patches are available at the Microsoft
> Download Center
>=20
> More Information
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Please see the following references for more information related to
> this issue.
> - Frequently Asked Questions: Microsoft Security Bulletin MS00-048,
> http://www.microsoft.com/technet/security/bulletin/fq00-048.asp
> - Microsoft Knowledge Base (KB) article, Q266766
> - Microsoft TechNet Security web site,
> http://www.microsoft.com/technet/security/default.asp
>=20
> Obtaining Support on this Issue
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
> This is a fully supported patch. Information on contacting Microsoft
> Product Support Services is available at
> http://support.microsoft.com/support/contact/default.asp
>=20
>=20
> Acknowledgments
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Microsoft thanks Adina Reeve of Sequiturcorp for reporting this issue
> and working with us to protect customers.
>=20
> Revisions
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> - July 7, 2000: Bulletin Created.
>=20
> - =
----------------------------------------------------------------------
>=20
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
> DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
> CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
> MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
> OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
> THE FOREGOING LIMITATION MAY NOT APPLY.
>=20
> Last Updated July 7, 2000
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
>=20
> iQEVAwUBOWY6740ZSRQxA/UrAQFNUggAizPTeRGuonj018nxCNv+zU1du7rgD+Up
> MaEROTyC77C+L1dH86SwM20FYXyqHmi2hdMk/IkDtC6NEomyWhYhZRLEZgb3wS3W
> TuiJR7ZcGplqra1j1PeFVmPkqDGkc18EG+o7JAOptkF+kwHQPSuxx7n2+8YJcmGt
> RCID8ScRDyasTiGvitBDfmFdCSdoXT6Fkvmqxgyn9zo3i8lhc8KfYIPlAUfm3B1S
> vBdfTxhwltofjJLgxYJfbU/EbMsj3lf4lRC1xyw3JpteznPvN9M7dwgooGQp/8Zf
> odskI85aqOGGEsc7LcoVqxIP4reWKNHWAfLZjqEbNRxeTNOK/4W7HA=3D=3D
> =3Drr3B
> -----END PGP SIGNATURE-----
>=20
> *******************************************************************
> You have received this e-mail bulletin as a result of your =
registration
> to the Microsoft Product Security Notification Service. You =
may
> unsubscribe from this e-mail notification service at any time by =
sending
> an e-mail to =
MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing the =
request,
> and can be anything you like.
>=20
> To verify the digital signature on this bulletin, please download our =
PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
>=20
> For more information on the Microsoft Security Notification =
Service
> please visit http://www.microsoft.com/technet/security/notify.asp. =
For
> security-related information about Microsoft products, please visit =
the
> Microsoft Security Advisor web site at =
http://www.microsoft.com/security.
>=20
------=_NextPart_000_002A_01BFE91F.1B8FCC50
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY background=3D"" bgColor=3D#ffffff>
<DIV><FONT size=3D2>Microsoft had better mention "<A=20
href=3D"http://msdn.microsoft.com/library/default.asp?URL=3D/library/psdk=
/sql/sp_wa-wz.htm">xp_cmdshell</A>"=20
function in their faq! :) <BR><BR>The problem is very big. Most sites=20
that running MS SQL server, web server and server side =
scripts=20
will allow users to insert data into SQL query strings. (any kind of =
search=20
engines, etc). This bug will allow not only gain access to DB data, but =
also to=20
execute anything locally on server. </FONT></DIV>
<DIV><FONT size=3D2><BR> Jenik.</FONT></DIV>
<DIV><FONT size=3D2><BR>----- Original Message ----- <BR>From: =
"Microsoft Product=20
Security" <secnotif@MICROSOFT.COM><BR>To:=20
<BUGTRAQ@SECURITYFOCUS.COM><BR>Sent: Friday, July 07, 2000 10:16=20
PM<BR>Subject: Microsoft Security Bulletin (MS00-048)<BR><BR><BR>> =
The=20
following is a Security Bulletin from the Microsoft Product=20
Security<BR>> Notification Service.<BR>> <BR>> Please do =
not =20
reply to this message, as it was sent from an =
unattended<BR>>=20
mailbox.<BR>> &nb=
sp; =20
********************************<BR>> <BR>> -----BEGIN PGP SIGNED=20
MESSAGE-----<BR>> <BR>> Microsoft Security Bulletin =
(MS00-048)<BR>> -=20
---------------------------------------<BR>> <BR>> Patch Available =
for=20
"Stored Procedure Permissions" Vulnerability<BR>> Originally =
Posted: =20
July 7, 2000<BR>> <BR>> Summary<BR>> =
=3D=3D=3D=3D=3D=3D=3D<BR>> Microsoft has=20
released a patch that eliminates a security<BR>> vulnerability in=20
Microsoft(r) SQL Server 7.0. The vulnerability could<BR>> allow a =
malicious=20
user to run a database stored procedure without<BR>> proper=20
permissions.<BR>> <BR>> Frequently asked questions regarding this=20
vulnerability and the patch<BR>> can be found at:<BR>>=20
http://www.microsoft.com/technet/security/bulletin/fq00-048.asp<BR>> =
<BR>>=20
Issue<BR>> =3D=3D=3D=3D=3D=3D<BR>> Execute permission checks on =
stored procedures may=20
be bypassed when a<BR>> stored procedure is referenced from a =
temporary=20
stored procedure.<BR>> This omission would allow a malicious user to =
run a=20
stored procedure<BR>> that, by design, he should not be able to=20
access.<BR>> <BR>> The vulnerability only occurs under a fairly =
restricted=20
set of<BR>> conditions:<BR>> <BR>> - The database and =
stored=20
procedure must be owned by the system<BR>> =
administrator=20
(sa) login account.<BR>> <BR>> - The malicious user must be =
able to=20
authenticate to the SQL Server,<BR>> and have user =
access=20
to the referenced database.<BR>> <BR>> Affected Software =
Versions<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<BR>> Microsoft SQL Server 7.0<BR>> <BR>>=20
Patch Availability<BR>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> -=20
Intel:<BR>> =20
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D22470<BR>>&=
nbsp; -=20
Alpha:<BR>> =20
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D22469<BR>> =
<BR>>=20
NOTE: Additional security patches are available at the =
Microsoft<BR>>=20
Download Center<BR>> <BR>> More Information<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> Please see the =
following references for more=20
information related to<BR>> this issue.<BR>> - Frequently =
Asked=20
Questions: Microsoft Security Bulletin =
MS00-048,<BR>> =20
http://www.microsoft.com/technet/security/bulletin/fq00-048.asp<BR>>&n=
bsp; -=20
Microsoft Knowledge Base (KB) article, Q266766<BR>> - Microsoft =
TechNet=20
Security web site,<BR>> =20
http://www.microsoft.com/technet/security/default.asp<BR>> <BR>> =
Obtaining=20
Support on this Issue<BR>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D<BR>> This is a=20
fully supported patch. Information on contacting Microsoft<BR>> =
Product=20
Support Services is available at<BR>>=20
http://support.microsoft.com/support/contact/default.asp<BR>> =
<BR>>=20
<BR>> Acknowledgments<BR>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> Microsoft thanks =
Adina=20
Reeve of Sequiturcorp for reporting this issue<BR>> and working with =
us to=20
protect customers.<BR>> <BR>> Revisions<BR>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> -=20
July 7, 2000: Bulletin Created.<BR>> <BR>> -=20
----------------------------------------------------------------------<BR=
>>=20
<BR>> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS=20
PROVIDED<BR>> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT =
DISCLAIMS=20
ALL<BR>> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE =
WARRANTIES=20
OF<BR>> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO=20
EVENT<BR>> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR =
ANY<BR>> DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, =
INCIDENTAL,<BR>>=20
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN =
IF<BR>>=20
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE<BR>>=20
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE =
EXCLUSION<BR>> OR=20
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES =
SO<BR>> THE=20
FOREGOING LIMITATION MAY NOT APPLY.<BR>> <BR>> Last Updated July =
7,=20
2000<BR>> <BR>> -----BEGIN PGP SIGNATURE-----<BR>> Version: PGP =
Personal Privacy 6.5.3<BR>> <BR>>=20
iQEVAwUBOWY6740ZSRQxA/UrAQFNUggAizPTeRGuonj018nxCNv+zU1du7rgD+Up<BR>> =
MaEROTyC77C+L1dH86SwM20FYXyqHmi2hdMk/IkDtC6NEomyWhYhZRLEZgb3wS3W<BR>> =
TuiJR7ZcGplqra1j1PeFVmPkqDGkc18EG+o7JAOptkF+kwHQPSuxx7n2+8YJcmGt<BR>> =
RCID8ScRDyasTiGvitBDfmFdCSdoXT6Fkvmqxgyn9zo3i8lhc8KfYIPlAUfm3B1S<BR>> =
vBdfTxhwltofjJLgxYJfbU/EbMsj3lf4lRC1xyw3JpteznPvN9M7dwgooGQp/8Zf<BR>> =
odskI85aqOGGEsc7LcoVqxIP4reWKNHWAfLZjqEbNRxeTNOK/4W7HA=3D=3D<BR>> =
=3Drr3B<BR>>=20
-----END PGP SIGNATURE-----<BR>> <BR>> =20
*******************************************************************<BR>&g=
t; You=20
have received this e-mail bulletin as a result of your=20
registration<BR>> to the Microsoft =
Product =20
Security Notification Service. You =
may<BR>>=20
unsubscribe from this e-mail notification service at any time by=20
sending<BR>> an e-mail to =20
MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM<BR>> The =
subject=20
line and message body are not used in processing the request,<BR>> =
and can be=20
anything you like.<BR>> <BR>> To verify the digital signature on =
this=20
bulletin, please download our PGP<BR>> key at=20
http://www.microsoft.com/technet/security/notify.asp.<BR>> <BR>> =
For =20
more information on the Microsoft Security=20
Notification Service<BR>> please visit =20
http://www.microsoft.com/technet/security/notify.asp. For<BR>>=20
security-related information about Microsoft products, =
please visit=20
the<BR>> Microsoft Security Advisor web site at=20
http://www.microsoft.com/security.<BR>> </FONT></DIV></BODY></HTML>
------=_NextPart_000_002A_01BFE91F.1B8FCC50--
