-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2002.539 -- Microsoft Security Bulletin MS02-056
                 Cumulative Patch for SQL Server (Q316333)
                              03 October 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Microsoft SQL Server 7.0
                        Microsoft Data Engine (MSDE) 1.0
                        Microsoft SQL Server 2000
                        Microsoft Desktop Engine (MSDE) 2000
Vendor:                 Microsoft
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
                        Increased Privileges
Access Required:        Remote

Ref:                    ESB-2002.442

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Cumulative Patch for SQL Server (Q316333)
Date:       02 October 2002
Software:   Microsoft SQL Server 7.0
		Microsoft Data Engine (MSDE) 1.0 
		Microsoft SQL Server 2000 
		Microsoft Desktop Engine (MSDE) 2000
Impact:     Four vulnerabilities, the most serious of which could 
		enable an attacker to gain control over an affected
		server.
Max Risk:   Critical
Bulletin:   MS02-056

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp.
- - ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all 
previously released patches for SQL Server 7.0, SQL Server 2000, and

Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 
2000. In addition, it eliminates four newly discovered vulner-
abilities. 
*	A buffer overrun in a section of code in SQL Server 2000 
	(and MSDE 2000) associated with user authentication. By 
	sending a specially malformed login request to an affected 
	server, an attacker could either cause the server to fail or 
	gain the ability to overwrite memory on the server, thereby 
	potentially running code on the server in the security context
	of the SQL Server service. It would not be necessary for the 
	user to successfully authenticate to the server or to be able
	to issue direct commands to it in order to exploit the 
	vulnerability. 
*	A buffer overrun vulnerability that occurs in one of the 
	Database Console Commands (DBCCs) that ship as part of SQL 
	Server 7.0 and 2000. In the most serious case, exploiting 
	this vulnerability would enable an attacker to run code in
	the context of the SQL Server service, thereby giving the 
	attacker complete control over all databases on the server. 
*	A vulnerability associated with scheduled jobs in SQL Server
	7.0 and 2000. SQL Server allows unprivileged users to create 
	scheduled jobs that will be executed by the SQL Server Agent.
	By design, the SQL Server Agent should only perform job 
	steps that are appropriate for the requesting user's priv-
	ileges. However, when a job step requests that an output file
	be created, the SQL Server Agent does so using its own priv-
	ileges rather than the job owners privileges. This creates a 
	situation in which an unprivileged user could submit a job 
	that would create a file containing valid operating system 
	commands in another user's Startup folder, or simply over-
	write system files in order to disrupt system operation

The patch also changes the operation of SQL Server, to prevent 
non-administrative users from running ad hoc queries against 
non-SQL OLEDB data sources. Although the current operation does 
not represent a security vulnerability, the new operation makes 
it more difficult to misuse poorly coded data providers that might
be installed on the server. 

Mitigating Factors:
====================
Unchecked buffer in SQL Server 2000 authentication function: 
*	This vulnerability on affects SQL Server 2000 and MSDE 2000. 
	Neither SQL Server 7.0 nor MSDE 1.0 are affected. 
*	If the SQL Server port (port 1433) were blocked at the firewall,
	the vulnerability could not be exploited from the Internet. 
*	Exploiting this vulnerability would allow the attacker to 
	escalate privileges to the level of the SQL Server service 
	account. By default, the service runs with the privileges of a 
	domain user, rather than with system privileges. 
Unchecked buffer in Database Console Commands: 
*	Exploiting this vulnerability would allow the attacker to 
	escalate privileges to the level of the SQL Server service
	account. By default, the service runs with the privileges of a 
	domain user, rather than with system privileges. 
*	The vulnerability could only be exploited by an attacker who 
	could authenticate to an affected SQL Server or has permissions
	to execute queries directly to the server 
*	The vulnerability could only be exploited by an attacker who 
	could authenticate to an affected SQL Server. 
Flaw in output file handling for scheduled jobs: 
*	The vulnerability could only be exploited by an attacker who
	could authenticate to an affected SQL server. 

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-056.asp
   for information on obtaining this patch.

Acknowledgment:
===================
*	Issue regarding ad hoc queries against non-SQL OLEDB data
	sources: 
	sk@scan-associates.net and pokleyzz@scan-associates.net 
*	Unchecked buffer in Database Console Commands: 
	Martin Rakhmanoff (jimmers@yandex.ru)


- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPZtnnI0ZSRQxA/UrAQGxEgf/SQqcWOkweSv3JcrA8hW1clpy4GE6u9/Q
wS5o7oPW2gI6K1Ai62Rz/k00AgeVrwZW4tiIMoU7wCyJattef0VNABM4D3b2Bksg
uOYjdjvfohAsKr3kKP6tmKWcLqtYAkfueYDZqhIFnWhl8nu1IKnY9Ab0+SyRl3um
q8P7I7wPPZvzcM6MTrh1nOfJhk1M5ELJhKTHkfo60Flc/iPqccZiBwmM1btgzs8x
udcOWIMc6P1AgqaCSL2Z0cFD+fbyaFLZS7vW1vo1iwe+6F5EnffKUajV5rDh2JaL
ncKy18yRbo1vgMO7Jnxmr/eVEaaapH7k7WVDELDTKZbArig+O9aukg==
=XzIw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPZyK0Sh9+71yA2DNAQEQswP/bAd0DF2hL3fswwinsYeL74ITkPWNnBSc
sxjRsGt5iwO0ji4cARhDz+3nGYkNJeZXFqxywiyxhbgebreBp/ynUX1dG2Wx8kg1
IkxOcXBQNUBZqXMuRRJne9cyObwm+In3K/Qo/BHMTQ2QO/tpq/7JWoNX3OyWiKQP
zHz+od/729k=
=fEL5
-----END PGP SIGNATURE-----