search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft SQL Server contains buffer overflow vulnerabilities in multiple extended stored procedures

Vulnerability Note VU#627275

Original Release Date: 2002-07-26 | Last Revised: 2002-07-29

Overview

Microsoft SQL Server 7.0 and SQL Server 2000 contain buffer overflow vulnerabilities in multiple extended stored procedures. A remote attacker could cause a denial of service or execute arbitrary code or commands with the privileges of the SQL Server process, potentially gaining complete control over a vulnerable system. An attacker could also manipulate databases stored on a vulnerable system.

Description

Microsoft SQL Server provides a scripting construct known as an "extended stored procedure" that can execute a collection of server commands together. Several of the extended stored procedures included with the Microsoft SQL Server contain buffer overflow vulnerabilities. These procedures provide increased functionality for database applications, allowing them to access operating system or network resources.

Parameters are passed to extended stored procedures via an API that specifies the actual and maximum length of various parameter data types. Some of the extended stored procedures fail to adequately validate the length of input parameters, resulting in stack buffer overflow conditions. Since some of the vulnerable procedures are configured by default to allow public access, it is possible for an unauthenticated attacker to exploit one or more of these buffer overflows. SQL Server databases are commonly used in web applications, so the vulnerable procedures may be accessible via the Internet. Microsoft Security Bulletin MS02-020 states

An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.

Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. If the privileges of the service account are elevated via VU#796313, this vulnerability may result in compromise of the server host.

Solution

Apply patch


Microsoft has published Security Bulletin MS02-020 to address this vulnerability. For more information, please see

http://www.microsoft.com/technet/security/bulletin/MS02-020.asp

Disable vulnerable procedures

Disable (drop) the vulnerable extended stored procedures. Note that this may affect functionality, and that the CERT/CC has not verified the list of vulnerable procedures referenced in the Application Security, Inc. report.

Vendor Information

627275
 
Expand all

Microsoft Corporation Affected

Notified:  July 27, 2002 Updated: July 29, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has published Security Bulletin MS02-020 to address this vulnerability. For more information, please see


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC acknowledges Cesar Cerrudo of Application Security, Inc. for reporting these vulnerabilities, and Bronek Kozicki for reporting the privilege elevation issue.

This document was written by Art Manion and Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2002-0154
CERT Advisory: CA-2002-22
Severity Metric: 45.18
Date Public: 2002-03-12
Date First Published: 2002-07-26
Date Last Updated: 2002-07-29 23:18 UTC
Document Revision: 44

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis