Microsoft SQL Server local code execution

From: @stake Advisories (@stake)
Date: Wed Jul 23 2003 - 14:11:13 PDT

Next message: Deus, Attonbitus: "Re: ODBC Login information saved as plain text... :("

Previous message: @stake Advisories: "Windows NT 4.0 with IBM JVM Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                             @stake Inc.
                           www.atstake.com 

                          Security Advisory

 
Advisory Name: Microsoft SQL Server local code execution
 Release Date: 07/23/2003
  Application: Microsoft SQL Server 7, 2000, MSDE
     Platform: Windows NT/2000/XP
     Severity: Local code execution / Denial of Service
       Author: Andreas Junestam (andreasat_private)
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0232
    Reference: www.atstake.com/research/advisories/2003/a072303-3.txt


Overview:

Microsoft SQL Server uses LPC (Local Procedure Calls) to
implement some of its inter-processes communication. The
port providing this service can be used by anyone. By sending
a specially crafted message to SQL Server through this port,
an attacker can overwrite certain parts of memory and thus
execute code using the SQL Server's credentials.


Detailed Description:

Microsoft SQL Server uses different ways of communicating with
a client locally, one of them is over a LPC port. This port
can by used by any local user to send information to the SQL
Server service. By sending a specially crafted message to this
port it is possible to overwrite information stored on the
stack. This would allow an attacker to execute code under
SQL Server's credentials thereby escalating privileges. This
would then allow the user to read and write access to the
database files.  If the SQL Server is running under the
Administrator or Local System account this would enable
system compromise.

As with most SQL Server issues MSDE is effected.  MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13


Vendor Response:

Microsoft was contacted on 02/05/2003

Microsoft has a bulletin and patch available:

http://www.microsoft.com/technet/security/bulletin/MS03-031.asp


Recommendation:

Install the vendor patch. If your SQL Server is running under
the Administrator or Local System account consider running SQL
Server under a less privileged account.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0232


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx75pUe9kNIfAm4yEQKqjwCgjN94EPfRFvtLd/4CHGjbW6QU/XIAoLKp
teXQzo5cqxIZY2OcMil/n9AC
=iMTE
-----END PGP SIGNATURE-----

Next message: Deus, Attonbitus: "Re: ODBC Login information saved as plain text... :("
Previous message: @stake Advisories: "Windows NT 4.0 with IBM JVM Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 14:45:04 PDT