Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft SQL Server local code execution

From: "@stake Advisories" <advisories () atstake com>
Date: Wed, 23 Jul 2003 17:11:13 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                            @stake Inc.
www.atstake.com 
                         Security Advisory


Advisory Name: Microsoft SQL Server local code execution
Release Date: 07/23/2003
 Application: Microsoft SQL Server 7, 2000, MSDE
    Platform: Windows NT/2000/XP
    Severity: Local code execution / Denial of Service
      Author: Andreas Junestam (andreas () atstake com)
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0232
   Reference: www.atstake.com/research/advisories/2003/a072303-3.txt


Overview:

Microsoft SQL Server uses LPC (Local Procedure Calls) to
implement some of its inter-processes communication. The
port providing this service can be used by anyone. By sending
a specially crafted message to SQL Server through this port,
an attacker can overwrite certain parts of memory and thus
execute code using the SQL Server's credentials.


Detailed Description:

Microsoft SQL Server uses different ways of communicating with
a client locally, one of them is over a LPC port. This port
can by used by any local user to send information to the SQL
Server service. By sending a specially crafted message to this
port it is possible to overwrite information stored on the
stack. This would allow an attacker to execute code under
SQL Server's credentials thereby escalating privileges. This
would then allow the user to read and write access to the
database files.  If the SQL Server is running under the
Administrator or Local System account this would enable
system compromise.

As with most SQL Server issues MSDE is effected.  MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13


Vendor Response:

Microsoft was contacted on 02/05/2003

Microsoft has a bulletin and patch available:

http://www.microsoft.com/technet/security/bulletin/MS03-031.asp


Recommendation:

Install the vendor patch. If your SQL Server is running under
the Administrator or Local System account consider running SQL
Server under a less privileged account.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

 CAN-2003-0232


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx75pUe9kNIfAm4yEQKqjwCgjN94EPfRFvtLd/4CHGjbW6QU/XIAoLKp
teXQzo5cqxIZY2OcMil/n9AC
=iMTE
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: