manunkind
December 1, 2000, 03:31 pm
Microsoft Security Bulletin (MS00-092)
Patch Available for "Extended Stored Procedure Parameter Parsing" Vulnerability
Originally posted: December 01, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® SQL Server and Microsoft SQL Server Desktop Engine (MSDE). The vulnerability could enable a malicious user to run code on the server, subject to a number of restrictions.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-092.asp
Issue
Extended Stored Procedures (XPs) are DLLs that can be installed by a SQL Server administrator to provide enhanced functionality within SQL Server. An API provided by SQL Server to parse input parameters for XPs, srv_paraminfo(), has a flaw that could result in a buffer overrun condition. The API is designed to locate the nth parameter in a string, and put it into a buffer provided by the XP. By design, the API does not provide a way for the XP to indicate the length of the buffer – instead, the XP is expected to ensure that the buffer will be large enough to hold the parameter. However, not all XPs provided by default in SQL Server perform this checking. A malicious user who provided a sufficiently-long parameter to an affected XP could cause a buffer overrun within srv_paraminfo, in order to either cause the SQL Server to fail, or to cause code of her choice to execute.
There are two scenarios whereby a malicious user might seek to exploit the vulnerability:
First, she might try to attack a SQL Server directly, by logging onto it and calling an XP. However, she could only do this if she could successfully authenticate to the SQL Server.
Alternatively, she could try to attack a database server that served as a back-end to a web server, by providing carefully-chosen inputs to the web application. However, XPs are rarely used by web applications. Even if a web application did use an XP, she would need detailed knowledge of the design of the web application in order to feed it parameters that would pass to an XP, and thence to srv_paraminfo() in such a way as to exploit the unchecked buffer.
As a result of these restrictions, it is likely that this vulnerability would be most useful to a malicious user who had already compromised a web server and become a valid SQL Server user on the back-end server. If the malicious user did succeed in running code on the server, it would run in the security context of the SQL Server service account. If best practices have been followed, this account would have only normal user privileges on the machine. In this case, the malicious user’s code could take any desired action against the database, but would not gain administrative control of the machine.
The patch works by changing all default XPs to allocate a correctly sized buffer before calling srv_paraminfo(). This approach was chosen over modifying srv_paraminfo() because the latter course of action would have introduced backward compatibility problems. Microsoft recommends that any third-party XPs that call srv_paraminfo() also be checked to ensure that they do so correctly. (The Knowledge Base article referenced below provides information on how to do this.)
Affected Software Versions
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft Data Engine 1.0 (MSDE 1.0)
Microsoft SQL Server Desktop Engine 2000 (MSDE 2000)
Note: MSDE 1.0 was released with SQL Server 7.0. MSDE 2000 was released with SQL Server 2000.
Patch Availability http://support.microsoft.com/support/sql/xp_security.asp
Note: The SQL Server 7.0 patch can be applied atop Service Pack 2. It will be included in SQL Server 7.0 Service Pack 3.
Note: The SQL Server 2000 patch can be applied atop SQL Server 2000. It will be included in SQL Server 2000 Service Pack 1.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)
Patch Available for "Extended Stored Procedure Parameter Parsing" Vulnerability
Originally posted: December 01, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® SQL Server and Microsoft SQL Server Desktop Engine (MSDE). The vulnerability could enable a malicious user to run code on the server, subject to a number of restrictions.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-092.asp
Issue
Extended Stored Procedures (XPs) are DLLs that can be installed by a SQL Server administrator to provide enhanced functionality within SQL Server. An API provided by SQL Server to parse input parameters for XPs, srv_paraminfo(), has a flaw that could result in a buffer overrun condition. The API is designed to locate the nth parameter in a string, and put it into a buffer provided by the XP. By design, the API does not provide a way for the XP to indicate the length of the buffer – instead, the XP is expected to ensure that the buffer will be large enough to hold the parameter. However, not all XPs provided by default in SQL Server perform this checking. A malicious user who provided a sufficiently-long parameter to an affected XP could cause a buffer overrun within srv_paraminfo, in order to either cause the SQL Server to fail, or to cause code of her choice to execute.
There are two scenarios whereby a malicious user might seek to exploit the vulnerability:
First, she might try to attack a SQL Server directly, by logging onto it and calling an XP. However, she could only do this if she could successfully authenticate to the SQL Server.
Alternatively, she could try to attack a database server that served as a back-end to a web server, by providing carefully-chosen inputs to the web application. However, XPs are rarely used by web applications. Even if a web application did use an XP, she would need detailed knowledge of the design of the web application in order to feed it parameters that would pass to an XP, and thence to srv_paraminfo() in such a way as to exploit the unchecked buffer.
As a result of these restrictions, it is likely that this vulnerability would be most useful to a malicious user who had already compromised a web server and become a valid SQL Server user on the back-end server. If the malicious user did succeed in running code on the server, it would run in the security context of the SQL Server service account. If best practices have been followed, this account would have only normal user privileges on the machine. In this case, the malicious user’s code could take any desired action against the database, but would not gain administrative control of the machine.
The patch works by changing all default XPs to allocate a correctly sized buffer before calling srv_paraminfo(). This approach was chosen over modifying srv_paraminfo() because the latter course of action would have introduced backward compatibility problems. Microsoft recommends that any third-party XPs that call srv_paraminfo() also be checked to ensure that they do so correctly. (The Knowledge Base article referenced below provides information on how to do this.)
Affected Software Versions
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft Data Engine 1.0 (MSDE 1.0)
Microsoft SQL Server Desktop Engine 2000 (MSDE 2000)
Note: MSDE 1.0 was released with SQL Server 7.0. MSDE 2000 was released with SQL Server 2000.
Patch Availability http://support.microsoft.com/support/sql/xp_security.asp
Note: The SQL Server 7.0 patch can be applied atop Service Pack 2. It will be included in SQL Server 7.0 Service Pack 3.
Note: The SQL Server 2000 patch can be applied atop SQL Server 2000. It will be included in SQL Server 2000 Service Pack 1.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)