Software Engineering Institute

Microsoft SQL Server provides a scripting construct known as a "stored procedure" that can execute a collection of server commands together. The SQL Server ships with several stored procedures, two of which contain an SQL injection vulnerability. This type of vulnerability occurs when an application does not properly validate user input before embedding the input into an SQL query. If an attacker submits crafted input containing an SQL query, the application may execute the attacker's query instead of the intended query.

According to Microsoft Security Bulletin MS02-038, this vulnerability occurs in two unspecified stored procedures that are used for replicating SQL data between separate servers. An unspecified parameter of these stored procedures will permit a user with db_owner privileges to execute SQL queries on the server or operating system commands on the server host. One of the two stored procedures contains an additional access control flaw that permits exploitation of this vulnerability by any user with an interactive login session. To exploit this vulnerability, an attacker must convince an administrator to enable the "SQL Server Agent Proxy" account, which is normally disabled.

This vulnerability allows attackers with limited administrative privileges to execute SQL queries on the server or operating system commands on the server host with the privileges of the SQL Server Agent Proxy account.

Apply a patch

Microsoft has published Security Bulletin MS02-038 to address this vulnerability. For more information, please see

http://www.microsoft.com/technet/security/bulletin/ms02-038.asp

This vulnerability also affects any products that include the Microsoft Desktop Engine (MSDE) 2000. For more information, please see

http://www.microsoft.com/technet/security/MSDEapps.asp