-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have received several inquiries regarding the advisory, "Named Pipe Filename Local Privilege Escalation" that was published by @stake on 07/08/2003. These answers should clarify where the vulnerability actually lies so customers can make informed decisions on what may need to be fixed in their environments. 1. Is SQL Server 7.0 vulnerable? The actual vulnerability is at the Windows NT/XP/2000 platform level, not at the application level. Any application that calls CreateFile based on user input and doesn't filter out named pipe names can be used as an attack vector to exploit this vulnerability. Since SQL Server 7.0 contains the xp_fileexist procedure, which calls CreateFile with user input, it is an attack vector. Instead of fixing this one attack vector Microsoft has fixed the actual design vulnerability with new privileges. If you are running SQL Server 7.0 you should upgrade to Windows 2000 SP4 if local privilege escalation is a risk in your environment. There are potentially many other applications that can be used as attack vectors. We have made no attempt to find any other vectors at this time. SQL Server MSDE which is installed by many products is potentially another vector. A full list is here: http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13 2. Are Windows NT 4.0, Windows XP, and Windows 2003 vulnerable? Windows NT 4.0 and Windows XP are. The MSDN documentation for SeImpersonatePrivilege states this: "Windows XP, Windows 2000 SP3 and earlier, Windows NT: This privilege is not supported." [line wrapped] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ security/security/authorization_constants.asp Windows 2000 SP4 and Windows 2003 are the only platforms that support the new privilege that fixes this issue. 3. Has @stake conducted any extensive research on the potential impact on production systems when implementing SP4? We have not done any research on the impact of SP4 on production systems. We are not set up to do application regression testing. This is a major change for applications that must use impersonation. As with all service packs, acceptance testing is advised. The Microsoft KB article (http://support.microsoft.com/default.aspx?scid=kb;[LN];821546) does have troubleshooting tips for applications that require the impersonation privilege that are not started by the service control manager or the COM infrastructure. 4. What are some other workarounds to this issue? Since this is a local privilege escalation issue it can be mitigated by only allowing administrators to logon locally to servers running applications that can be used as attack vectors. If you are running terminal services then only administrators should be given permission to connect. 5. Why is there no Microsoft bulletin on this issue? Microsoft's policy is to not issue bulletins for vulnerabilities that are fixed in service packs. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPww3GEe9kNIfAm4yEQJErgCgzv63PpiKGQJKVcByXUAzJ5Sh1yoAoMIV b08pH5Ek0SxIddU8P5/WGYzh =0yaa -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 14:11:58 PDT