Re: [VulnWatch] Notes on the SQL Cumulative patch

[Dave Aitel <dave () immunitysec com>]

People in Immunity's Vulnerability Disclosure Club or people who have
purchased CORE Impact or people who have written their own SQL Server
Hello exploit can verify that this statement from the Microsoft Advisory
is, in fact, completely untrue.

The default install, in fact, every install I've run into, gives you
LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant privileges. 

Dave Aitel
Immunity, Inc.

"Unchecked buffer in SQL Server 2000 authentication function
(CAN-2002-1123):

What’s the scope of this vulnerability?

This is a buffer overrun vulnerability. By sending a specially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would
not be necessary for the user to successfully authenticate to the server
in order to exploit the vulnerability.

This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level. "

On Thu, 2002-10-03 at 10:56, David Litchfield wrote:
> The cumulative patch at
> http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
> 02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave
> Aitel's (www.immunitysec.com) "hello" bug (unauthenticated  buffer overflow
> during authentication) is patched here.
>
> Also addressed is the file overwrite vulnerability discussed here
> http://www.nextgenss.com/advisories/mssql-jobs2.txt
>
> The Microsoft advisory states that "operating system" commands can be
> inserted into files - the implication being that batch files can be dropped
> into startup folders. This is not true for SQL Server 2000. The text of the
> file created is UNICODE, i.e. each character taking two bytes with the
> second byte being a NULL. This NULL prevents OS commands from being
> executed. The risk posed to SQL Server 2000 systems then is file overwrite
> such as ntoskrnl.exe
>
> Please note that I have not tested this on SQL Server 7 and what MS says may
> be true about being able to run OS commands on this version - I have a
> feeling it is not, though.
>
> It is important that the patch be installed as soon as is possible to fix
> Dave Aitel's issue but for the file overwrite issue drop public access from
> the relevant stored procedures in the interim as a workaround:
>
> revoke execute on sp_add_job from public
> revoke execute on sp_add_jobstep from public
> revoke execute on sp_add_jobserver from public
> revoke execure on sp_start_job from public
>
> Cheers,
> David Litchfield
> A check for these issues already exists in NGSSQuirreL
> (http://www.nextgenss.com/software/ngssquirrel.html ) and an update is being
> made now to cover the other two issues.

Attachment: signature.asc
Description: This is a digitally signed message part