The cumulative patch at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS 02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave Aitel's (www.immunitysec.com) "hello" bug (unauthenticated buffer overflow during authentication) is patched here. Also addressed is the file overwrite vulnerability discussed here http://www.nextgenss.com/advisories/mssql-jobs2.txt The Microsoft advisory states that "operating system" commands can be inserted into files - the implication being that batch files can be dropped into startup folders. This is not true for SQL Server 2000. The text of the file created is UNICODE, i.e. each character taking two bytes with the second byte being a NULL. This NULL prevents OS commands from being executed. The risk posed to SQL Server 2000 systems then is file overwrite such as ntoskrnl.exe Please note that I have not tested this on SQL Server 7 and what MS says may be true about being able to run OS commands on this version - I have a feeling it is not, though. It is important that the patch be installed as soon as is possible to fix Dave Aitel's issue but for the file overwrite issue drop public access from the relevant stored procedures in the interim as a workaround: revoke execute on sp_add_job from public revoke execute on sp_add_jobstep from public revoke execute on sp_add_jobserver from public revoke execure on sp_start_job from public Cheers, David Litchfield A check for these issues already exists in NGSSQuirreL (http://www.nextgenss.com/software/ngssquirrel.html ) and an update is being made now to cover the other two issues.
This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 09:22:44 PDT