Reported July 23, 2003, by Microsoft.

 

VERSIONS AFFECTED

 

  • Microsoft SQL Server 2000 and 7.0

  • Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)

  • Microsoft Data Engine (MSDE) 1.0

 

DESCRIPTION

 

Three new vulnerabilities exist in SQL Server 2000, SQL Server 7.0, MSDE 2000, and MSDE 1.0, the most serious of which can result in the execution of arbitrary code on the vulnerable computer. These vulnerabilities are as follows:

 

  • Named Pipe Hijacking
    A flaw exists in the checking method for the named pipe. The flaw can permit an attacker local to the SQL Server system to gain control of the named pipe during another client's authenticated logon. The attacker could then gain control of the named pipe at the same permission level as the user who is attempting to connect. If the user has a higher level of permissions than the attacker, the attacker will assume those rights when the named pipe is compromised.

  • Named Pipe Denial of Service
    In the same named-pipes scenario as above, an unauthenticated user who is local to the intranet can send a large packet to a specific named pipe on which the SQL Server system is listening and cause it to become unresponsive. This scenario can create a Denial of Service (DoS) condition that would require a server restart to restore functionality.

  • SQL Server Buffer Overrun
    A flaw in a specific Windows function might permit an authenticated user--with direct access to log on to the SQL Server system --to create a specially crafted packet that could cause a buffer overrun when sent to the system's listening local procedure call (LPC) port. This flaw can allow a user with limited system permissions to elevate his or her permissions to the level of the SQL Server service account or cause arbitrary code to run.

 

VENDOR RESPONSE

 

Microsoft has released Security Bulletin MS03-031, "Cumulative Patch for Microsoft SQL Server (815495)," to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.

 

CREDIT

Discovered by Andreas Junstream of @Stake.