Notes on the SQL Cumulative patch

["David Litchfield" <david () ngssoftware com>]

The cumulative patch at
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave
Aitel's (www.immunitysec.com) "hello" bug (unauthenticated  buffer overflow
during authentication) is patched here.

Also addressed is the file overwrite vulnerability discussed here
http://www.nextgenss.com/advisories/mssql-jobs2.txt

The Microsoft advisory states that "operating system" commands can be
inserted into files - the implication being that batch files can be dropped
into startup folders. This is not true for SQL Server 2000. The text of the
file created is UNICODE, i.e. each character taking two bytes with the
second byte being a NULL. This NULL prevents OS commands from being
executed. The risk posed to SQL Server 2000 systems then is file overwrite
such as ntoskrnl.exe

Please note that I have not tested this on SQL Server 7 and what MS says may
be true about being able to run OS commands on this version - I have a
feeling it is not, though.

It is important that the patch be installed as soon as is possible to fix
Dave Aitel's issue but for the file overwrite issue drop public access from
the relevant stored procedures in the interim as a workaround:

revoke execute on sp_add_job from public
revoke execute on sp_add_jobstep from public
revoke execute on sp_add_jobserver from public
revoke execure on sp_start_job from public

Cheers,
David Litchfield
A check for these issues already exists in NGSSQuirreL
(http://www.nextgenss.com/software/ngssquirrel.html ) and an update is being
made now to cover the other two issues.