[15716] in bugtraq
Re: Microsoft Security Bulletin (MS00-048)
daemon@ATHENA.MIT.EDU (Richard Waymire)
Mon Jul 10 15:34:15 2000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BFEA8B.BDCDFB50"
Message-ID: <53803ECFD77B0148A3D834341960E9FA7A8520@red-msg-18.redmond.corp.microsoft.com>
Date: Mon, 10 Jul 2000 09:27:29 -0700
Reply-To: Richard Waymire <rwaymi@MICROSOFT.COM>
From: Richard Waymire <rwaymi@MICROSOFT.COM>
X-To: Jenik <jenik@iiclub.co.il>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BFEA8B.BDCDFB50
Content-Type: text/plain;
charset="windows-1252"
What bug do you see here? The only way this can work as you describe is if
the site administrator screws up on several fronts:
1) Improper filtering of the data they pass through to SQL Server
2) Running SQL Server as an administrator (not necessary)
3) Having the web site log in to SQL Server as a system administrator (big
mistake in any event)
only when those things happen will the "bug" you mention take place.
Richard Waymire, MCT, MCSE+I, MCSD, MCDBA
SQL Server Enterprise Program Manager
-----Original Message-----
From: Jenik [mailto:jenik@CPOL.COM]
Sent: Saturday, July 08, 2000 11:57 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Microsoft Security Bulletin (MS00-048)
Microsoft had better mention " xp_cmdshell
<http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/sql/sp_wa-w
z.htm> " function in their faq! :)
The problem is very big. Most sites that running MS SQL server, web server
and server side scripts will allow users to insert data into SQL query
strings. (any kind of search engines, etc). This bug will allow not only
gain access to DB data, but also to execute anything locally on server.
Jenik.
----- Original Message -----
From: "Microsoft Product Security" <secnotif@MICROSOFT.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Friday, July 07, 2000 10:16 PM
Subject: Microsoft Security Bulletin (MS00-048)
> The following is a Security Bulletin from the Microsoft Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from an unattended
> mailbox.
> ********************************
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Microsoft Security Bulletin (MS00-048)
> - ---------------------------------------
>
> Patch Available for "Stored Procedure Permissions" Vulnerability
> Originally Posted: July 7, 2000
>
> Summary
> =======
> Microsoft has released a patch that eliminates a security
> vulnerability in Microsoft(r) SQL Server 7.0. The vulnerability could
> allow a malicious user to run a database stored procedure without
> proper permissions.
>
> Frequently asked questions regarding this vulnerability and the patch
> can be found at:
> http://www.microsoft.com/technet/security/bulletin/fq00-048.asp
>
> Issue
> ======
> Execute permission checks on stored procedures may be bypassed when a
> stored procedure is referenced from a temporary stored procedure.
> This omission would allow a malicious user to run a stored procedure
> that, by design, he should not be able to access.
>
> The vulnerability only occurs under a fairly restricted set of
> conditions:
>
> - The database and stored procedure must be owned by the system
> administrator (sa) login account.
>
> - The malicious user must be able to authenticate to the SQL Server,
> and have user access to the referenced database.
>
> Affected Software Versions
> ==========================
> Microsoft SQL Server 7.0
>
> Patch Availability
> ==================
> - Intel:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22470
> - Alpha:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22469
>
> NOTE: Additional security patches are available at the Microsoft
> Download Center
>
> More Information
> ================
> Please see the following references for more information related to
> this issue.
> - Frequently Asked Questions: Microsoft Security Bulletin MS00-048,
> http://www.microsoft.com/technet/security/bulletin/fq00-048.asp
> - Microsoft Knowledge Base (KB) article, Q266766
> - Microsoft TechNet Security web site,
> http://www.microsoft.com/technet/security/default.asp
>
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Product Support Services is available at
> http://support.microsoft.com/support/contact/default.asp
>
>
> Acknowledgments
> ===============
> Microsoft thanks Adina Reeve of Sequiturcorp for reporting this issue
> and working with us to protect customers.
>
> Revisions
> =========
> - July 7, 2000: Bulletin Created.
>
> - ----------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
> DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
> CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
> MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
> OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
> THE FOREGOING LIMITATION MAY NOT APPLY.
>
> Last Updated July 7, 2000
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
>
> iQEVAwUBOWY6740ZSRQxA/UrAQFNUggAizPTeRGuonj018nxCNv+zU1du7rgD+Up
> MaEROTyC77C+L1dH86SwM20FYXyqHmi2hdMk/IkDtC6NEomyWhYhZRLEZgb3wS3W
> TuiJR7ZcGplqra1j1PeFVmPkqDGkc18EG+o7JAOptkF+kwHQPSuxx7n2+8YJcmGt
> RCID8ScRDyasTiGvitBDfmFdCSdoXT6Fkvmqxgyn9zo3i8lhc8KfYIPlAUfm3B1S
> vBdfTxhwltofjJLgxYJfbU/EbMsj3lf4lRC1xyw3JpteznPvN9M7dwgooGQp/8Zf
> odskI85aqOGGEsc7LcoVqxIP4reWKNHWAfLZjqEbNRxeTNOK/4W7HA==
> =rr3B
> -----END PGP SIGNATURE-----
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your registration
> to the Microsoft Product Security Notification Service. You may
> unsubscribe from this e-mail notification service at any time by sending
> an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing the request,
> and can be anything you like.
>
> To verify the digital signature on this bulletin, please download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
>
> For more information on the Microsoft Security Notification Service
> please visit http://www.microsoft.com/technet/security/notify.asp. For
> security-related information about Microsoft products, please visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
>
------_=_NextPart_001_01BFEA8B.BDCDFB50
Content-Type: text/html;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY background=3D"" bgColor=3D#ffffff>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D663252516-10072000>What=20
bug do you see here? The only way this can work as you describe =
is if the=20
site administrator screws up on several fronts:</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D663252516-10072000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D663252516-10072000>1) Improper filtering of the data they =
pass=20
through to SQL Server</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D663252516-10072000>2) Running SQL Server as an =
administrator (not=20
necessary)</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D663252516-10072000>3) Having the web site log in to SQL =
Server as a=20
system administrator (big mistake in any event)</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D663252516-10072000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D663252516-10072000>only=20
when those things happen will the "bug" you mention take=20
place.</SPAN></FONT></DIV>
<DIV> </DIV>
<P><FONT face=3DArial size=3D1>Richard Waymire, MCT, MCSE+I, MCSD, =
MCDBA</FONT>=20
<BR><FONT face=3DArial size=3D1>SQL Server Enterprise Program =
Manager</FONT> </P>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
<DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Jenik=20
[mailto:jenik@CPOL.COM]<BR><B>Sent:</B> Saturday, July 08, 2000 11:57 =
AM<BR><B>To:</B> BUGTRAQ@SECURITYFOCUS.COM<BR><B>Subject:</B> Re: =
Microsoft=20
Security Bulletin (MS00-048)<BR><BR></DIV></FONT>
<DIV><FONT size=3D2>Microsoft had better mention "<A=20
=
href=3D"http://msdn.microsoft.com/library/default.asp?URL=3D/library/psd=
k/sql/sp_wa-wz.htm">xp_cmdshell</A>"=20
function in their faq! :) <BR><BR>The problem is very big. Most sites =
that running MS SQL server, web server and server side =
scripts=20
will allow users to insert data into SQL query strings. (any kind of =
search=20
engines, etc). This bug will allow not only gain access to DB data, =
but also=20
to execute anything locally on server. </FONT></DIV>
<DIV><FONT size=3D2><BR> Jenik.</FONT></DIV>
<DIV><FONT size=3D2><BR>----- Original Message ----- <BR>From: =
"Microsoft=20
Product Security" <secnotif@MICROSOFT.COM><BR>To:=20
<BUGTRAQ@SECURITYFOCUS.COM><BR>Sent: Friday, July 07, 2000 =
10:16=20
PM<BR>Subject: Microsoft Security Bulletin (MS00-048)<BR><BR><BR>> =
The=20
following is a Security Bulletin from the Microsoft Product=20
Security<BR>> Notification Service.<BR>> <BR>> Please do =
not =20
reply to this message, as it was sent from an =
unattended<BR>>=20
=
mailbox.<BR>> &n=
bsp; =20
********************************<BR>> <BR>> -----BEGIN PGP =
SIGNED=20
MESSAGE-----<BR>> <BR>> Microsoft Security Bulletin =
(MS00-048)<BR>> -=20
---------------------------------------<BR>> <BR>> Patch =
Available for=20
"Stored Procedure Permissions" Vulnerability<BR>> Originally =
Posted: =20
July 7, 2000<BR>> <BR>> Summary<BR>> =
=3D=3D=3D=3D=3D=3D=3D<BR>> Microsoft has=20
released a patch that eliminates a security<BR>> vulnerability in=20
Microsoft(r) SQL Server 7.0. The vulnerability could<BR>> allow a =
malicious=20
user to run a database stored procedure without<BR>> proper=20
permissions.<BR>> <BR>> Frequently asked questions regarding =
this=20
vulnerability and the patch<BR>> can be found at:<BR>>=20
=
http://www.microsoft.com/technet/security/bulletin/fq00-048.asp<BR>> =
<BR>> Issue<BR>> =3D=3D=3D=3D=3D=3D<BR>> Execute permission =
checks on stored=20
procedures may be bypassed when a<BR>> stored procedure is =
referenced from=20
a temporary stored procedure.<BR>> This omission would allow a =
malicious=20
user to run a stored procedure<BR>> that, by design, he should not =
be able=20
to access.<BR>> <BR>> The vulnerability only occurs under a =
fairly=20
restricted set of<BR>> conditions:<BR>> <BR>> - The =
database=20
and stored procedure must be owned by the =
system<BR>> =20
administrator (sa) login account.<BR>> <BR>> - The =
malicious user=20
must be able to authenticate to the SQL =
Server,<BR>> and=20
have user access to the referenced database.<BR>> <BR>> =
Affected=20
Software Versions<BR>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D<BR>> Microsoft SQL=20
Server 7.0<BR>> <BR>> Patch Availability<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> =
- Intel:<BR>> =20
=
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D22470<BR>>=
-=20
Alpha:<BR>> =20
=
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D22469<BR>>=
=20
<BR>> NOTE: Additional security patches are available at the =
Microsoft<BR>> Download Center<BR>> <BR>> More =
Information<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> Please see =
the following references for more=20
information related to<BR>> this issue.<BR>> - Frequently =
Asked=20
Questions: Microsoft Security Bulletin =
MS00-048,<BR>> =20
=
http://www.microsoft.com/technet/security/bulletin/fq00-048.asp<BR>>&=
nbsp;=20
- Microsoft Knowledge Base (KB) article, Q266766<BR>> - =
Microsoft=20
TechNet Security web site,<BR>> =20
http://www.microsoft.com/technet/security/default.asp<BR>> =
<BR>>=20
Obtaining Support on this Issue<BR>>=20
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<BR>> This is a fully supported patch.=20
Information on contacting Microsoft<BR>> Product Support Services =
is=20
available at<BR>>=20
http://support.microsoft.com/support/contact/default.asp<BR>> =
<BR>>=20
<BR>> Acknowledgments<BR>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> Microsoft thanks=20
Adina Reeve of Sequiturcorp for reporting this issue<BR>> and =
working with=20
us to protect customers.<BR>> <BR>> Revisions<BR>>=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>> - July 7, 2000: Bulletin =
Created.<BR>> <BR>> -=20
=
----------------------------------------------------------------------<B=
R>>=20
<BR>> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS=20
PROVIDED<BR>> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT =
DISCLAIMS=20
ALL<BR>> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE =
WARRANTIES=20
OF<BR>> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN =
NO=20
EVENT<BR>> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE =
FOR=20
ANY<BR>> DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, =
INCIDENTAL,<BR>>=20
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN =
IF<BR>>=20
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF =
THE<BR>>=20
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE =
EXCLUSION<BR>> OR=20
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES =
SO<BR>> THE=20
FOREGOING LIMITATION MAY NOT APPLY.<BR>> <BR>> Last Updated =
July 7,=20
2000<BR>> <BR>> -----BEGIN PGP SIGNATURE-----<BR>> Version: =
PGP=20
Personal Privacy 6.5.3<BR>> <BR>>=20
=
iQEVAwUBOWY6740ZSRQxA/UrAQFNUggAizPTeRGuonj018nxCNv+zU1du7rgD+Up<BR>>=
=20
=
MaEROTyC77C+L1dH86SwM20FYXyqHmi2hdMk/IkDtC6NEomyWhYhZRLEZgb3wS3W<BR>>=
=20
=
TuiJR7ZcGplqra1j1PeFVmPkqDGkc18EG+o7JAOptkF+kwHQPSuxx7n2+8YJcmGt<BR>>=
=20
RCID8ScRDyasTiGvitBDfmFdCSdoXT6Fkvmqxgyn9zo3i8lhc8KfYIPlAUfm3B1S<BR>&g=
t;=20
=
vBdfTxhwltofjJLgxYJfbU/EbMsj3lf4lRC1xyw3JpteznPvN9M7dwgooGQp/8Zf<BR>>=
=20
odskI85aqOGGEsc7LcoVqxIP4reWKNHWAfLZjqEbNRxeTNOK/4W7HA=3D=3D<BR>> =
=3Drr3B<BR>>=20
-----END PGP SIGNATURE-----<BR>> <BR>> =20
=
*******************************************************************<BR>&=
gt;=20
You have received this e-mail bulletin as a result of =
your=20
registration<BR>> to the Microsoft =
Product =20
Security Notification Service. You =
may<BR>>=20
unsubscribe from this e-mail notification service at any time =
by=20
sending<BR>> an e-mail to =20
MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM<BR>> The =
subject=20
line and message body are not used in processing the request,<BR>> =
and can=20
be anything you like.<BR>> <BR>> To verify the digital =
signature on this=20
bulletin, please download our PGP<BR>> key at=20
http://www.microsoft.com/technet/security/notify.asp.<BR>> =
<BR>>=20
For more information on the Microsoft =
Security=20
Notification Service<BR>> please visit =20
http://www.microsoft.com/technet/security/notify.asp. =
For<BR>>=20
security-related information about Microsoft products, =
please =20
visit the<BR>> Microsoft Security Advisor web site at=20
http://www.microsoft.com/security.<BR>>=20
</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01BFEA8B.BDCDFB50--
