[27285] in bugtraq
Re: [VulnWatch] Notes on the SQL Cumulative patch
daemon@ATHENA.MIT.EDU (Dave Aitel)
Thu Oct 3 21:35:25 2002
From: Dave Aitel <dave@immunitysec.com>
To: David Litchfield <david@ngssoftware.com>
In-Reply-To: <005801c26aed$133810b0$2501010a@HEPHAESTUS>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
boundary="=-z6LFMfBvtmRC9w8I2ufz"
Date: 03 Oct 2002 12:16:36 -0400
Message-Id: <1033661797.13143.90.camel@www.immunitysec.com>
Mime-Version: 1.0
--=-z6LFMfBvtmRC9w8I2ufz
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: quoted-printable
People in Immunity's Vulnerability Disclosure Club or people who have
purchased CORE Impact or people who have written their own SQL Server
Hello exploit can verify that this statement from the Microsoft Advisory
is, in fact, completely untrue.
The default install, in fact, every install I've run into, gives you
LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant privileges.=20
Dave Aitel
Immunity, Inc.
"Unchecked buffer in SQL Server 2000 authentication function
(CAN-2002-1123):
What=92s the scope of this vulnerability?
This is a buffer overrun vulnerability. By sending a specially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would
not be necessary for the user to successfully authenticate to the server
in order to exploit the vulnerability.
This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level. "
On Thu, 2002-10-03 at 10:56, David Litchfield wrote:
> The cumulative patch at
> http://www.microsoft.com/technet/treeview/?url=3D/technet/security/bullet=
in/MS
> 02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave
> Aitel's (www.immunitysec.com) "hello" bug (unauthenticated buffer overfl=
ow
> during authentication) is patched here.
>=20
> Also addressed is the file overwrite vulnerability discussed here
> http://www.nextgenss.com/advisories/mssql-jobs2.txt
>=20
> The Microsoft advisory states that "operating system" commands can be
> inserted into files - the implication being that batch files can be dropp=
ed
> into startup folders. This is not true for SQL Server 2000. The text of t=
he
> file created is UNICODE, i.e. each character taking two bytes with the
> second byte being a NULL. This NULL prevents OS commands from being
> executed. The risk posed to SQL Server 2000 systems then is file overwrit=
e
> such as ntoskrnl.exe
>=20
> Please note that I have not tested this on SQL Server 7 and what MS says =
may
> be true about being able to run OS commands on this version - I have a
> feeling it is not, though.
>=20
> It is important that the patch be installed as soon as is possible to fix
> Dave Aitel's issue but for the file overwrite issue drop public access fr=
om
> the relevant stored procedures in the interim as a workaround:
>=20
> revoke execute on sp_add_job from public
> revoke execute on sp_add_jobstep from public
> revoke execute on sp_add_jobserver from public
> revoke execure on sp_start_job from public
>=20
> Cheers,
> David Litchfield
> A check for these issues already exists in NGSSQuirreL
> (http://www.nextgenss.com/software/ngssquirrel.html ) and an update is be=
ing
> made now to cover the other two issues.
>=20
>=20
--=-z6LFMfBvtmRC9w8I2ufz
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9nG1kB8JNm+PA+iURAtGGAKDxP+WRCG0QkH2TO0s3+H08eGhy0wCfelnT
TlHm3qXHtwW6kzOAJGJhOE4=
=n5SV
-----END PGP SIGNATURE-----
--=-z6LFMfBvtmRC9w8I2ufz--
