Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2522
HistoryFeb 21, 2002 - 12:00 a.m.

Security Bulletin MS02-007

2002-02-2100:00:00
vulners.com
26
JSON

Title: SQL Server Remote Data Source Function Contain
Unchecked Buffers
Date: 20 February 2002
Software: Microsoft SQL Server
Impact: Run code of attacker's choice on server
Max Risk: Moderate
Bulletin: MS02-007

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp.

Issue:

One of the features of Structured Query Language (SQL) in
SQL Server 7.0 and 2000 is the ability to connect to remote data
sources. One capability of this feature is the ability to use
"ad hoc" connections to connect to remote data sources without
setting up a linked server for less-often used data-sources. This
is made possible through the use of OLE DB providers, which are
low-level data source providers. This capability is made possible
by invoking the OLE DB provider directly by name in a query to
connect to the remote data source.

An unchecked buffer exists in the handling of OLE DB provider names
in ad hoc connections. A buffer overrun could occur as a result and
could be used to either cause the SQL Server service to fail, or to
cause code to run in the security context of the SQL Server.
SQL Server can be configured to run in various security contexts,
and by default runs as a domain user. The precise privileges the
attacker could gain would depend on the specific security context
that the service runs in.

An attacker could exploit this vulnerability in one of two ways.
They could attempt to load and execute a database query that calls
one of the affected functions. Conversely, if a web-site or other
database front-end were configured to access and process arbitrary
queries, it could be possible for an attacker to provide inputs that
would cause the query to call one of the functions in question
with the appropriate malformed parameters.

Mitigating Factors:

  • The effect of exploiting the vulnerability would depend on the
    specific configuration of the SQL Server service. SQL Server
    can be configured to run in a security context chosen by the
    administrator. By default, this context is as a domain user.
    If the rule of least privilege has been followed, it would
    minimize the amount of damage an attacker could achieve.

  • Both vectors for exploiting the vulnerability could be blocked
    by following best practices. Specifically, untrusted users
    should not be able to load and execute queries of their choice
    on a database server. In addition, publicly accessible database
    queries should filter all inputs prior to processing.

Risk Rating:

  • Internet systems: Moderate
  • Intranet systems: Moderate
  • Client systems: Moderate

Patch Availability:

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

JSON