Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0056 -- Microsoft Security Bulletin MS02-061
Elevation of Privilege in SQL Server Web Tasks (Q316333)
27 January 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SQL Server 7.0
SQL Server 2000
Microsoft Data Engine (MSDE) 1.0
Microsoft Desktop Engine (MSDE) 2000
Vendor: Microsoft
Operating System: Windows
Impact: Increased Privileges
Access Required: Remote
Ref: AU-2003.002
ESB-2002.582
ESB-2002.539
ESB-2002.442
ESB-2002.364
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Elevation of Privilege in SQL Server Web Tasks (Q316333)
Released: October 16, 2002
Revised: January 26, 2003 (version 2.0)
Software: Microsoft(r) SQL Server(tm) 7.0, SQL Server 2000,
Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop
Engine (MSDE) 2000.
Impact: Elevation of Privileges
Max Risk: Critical
Bulletin: MS02-061
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
- - ----------------------------------------------------------------------
Reason for Revision:
====================
Microsoft Security Bulletin is a cumulative security patch for
Microsoft SQL Server. As a cumulative patch it includes a fix for a
vulnerability first included in Microsoft Security Bulletin MS02-
039, which has been exploited as part of the "Slammer" worm.
Customers who have not installed a recent SQL Server security patch
(MS02-039, MS02-043, MS02-056 or MS02-061) are strongly encouraged
to install this updated patch, which now includes an installer for
ease of use.
Microsoft originally released this bulletin and patch on October 16,
2002 to correct a security vulnerability in a SQL Server stored
procedure. The patch was and still is effective in eliminating the
security vulnerability, and includes the fix for the vulnerability
exploited by the "Slammer" worm virus (Note: Slammer affects only
SQL Server 2000 and MSDE 2000). However, while the patch was fully
effective in eliminating the security vulnerability, in October,
2002, it was found to interfere with SQL Server operations under
some circumstances. As a result, on October 30, 20002, an
additional non-security patch
http://support.microsoft.com/default.aspx?scid=kb;en-us;317748 was
required to ensure normal operations of SQL Server.
In order to simplify the process by which customers update their
systems, Microsoft has now re-released the patch for SQL Server
2000. The patch for SQL Server 2000 was re-released to help
customers patch their systems in response to the "Slammer" worm
virus. The re-released patch integrates the original security patch
released with this bulletin and the hotfix discussed in Microsoft
Knowledge Base article 317748 that was released to ensure the
correct operation of SQL Server. The re-release has been packaged
with a new SQL Server patch installer. The installer eliminates
the need for system administrators to copy SQL Server files onto
their systems manually. The only changes that Microsoft has made to
this patch were to incorporate the hotfix discussed in Microsoft
Knowledge Base article 317748 into the re-released patch and to
package the patch with an installer.
Customers who have not already applied the patch originally
released with this bulletin should apply the re-released patch.
Customers who have already applied to their SQL 2000 systems both
the original security patch and patch 317748 do not need to apply
this re-released patch - the original patches are effective in
ensuring correct operation of SQL Server and in protecting SQL
Server systems (including protection from the Slammer worm).
Customers who have applied only the original version of this patch
should consider applying the patch discussed in Microsoft Knowledge
Base article 317748, subject to the caveat discussed in the FAQ and
caveats sections below.
Issue:
======
The original version of this bulletin released a cumulative patch
that included the functionality of all previously released patches
for SQL Server 7.0, SQL Server 2000, Microsoft Data Engine (MSDE)
1.0, and Microsoft Desktop Engine (MSDE) 2000. The original patch
also eliminated one newly discovered vulnerability in a SQL Server
stored procedure.
SQL Server 7.0 and SQL Server 2000 provide stored procedures which
are collections of Transact-SQL statements stored under a name and
processed as a group. One stored procedure, an extended stored
procedure and weak permissions on a table combine to allow a low
privileged user the ability to run, delete, insert or update web
tasks.
An attacker who is able to authenticate to a SQL server could
delete, insert or update all the web tasks created by other users.
In addition, the attacker could run already created web tasks in
the context of the creator of the web task. This typically runs in
the context of the SQL Server Agent service account.
Mitigating Factors:
====================
- - -It is necessary to be an authenticated user of the SQL Server.
- - -Exploiting this vulnerability could allow the attacker to escalate
privileges to the level of the SQL Server service account. By
default, the service runs with the privileges of a domain user,
rather than with system privileges.
- - -Web tasks have to exist in the first place.
Risk Rating:
============
Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-003.asp
for information on obtaining this patch.
Acknowledgment:
===============
Microsoft thanks David Litchfield of Next Generation Security
Software Ltd. for reporting this issue to us and working with us to
protect customers. We would also like to thank Martin Rakhmanoff
(jimmers@yandex.ru) for contributing to the investigation.
- - -------------------------------------------------------------------
- - --
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPjOhg40ZSRQxA/UrAQGGhwf/T/t0K/XTIqszqT9I3fKC1J5EWZGR/LUL
aR1gNCD+2QZtvufM2pRt5+7WN236kFkDxE4s1HPb6nT/tEQafW+UJSsBFV7ZqNZY
OCTGxwpSKd9fHVA0cehxFmw3ERQgweBkrfolreNt4jqIEsLc/qK2IMQTeJ9EjmDA
MyBynv7i35lD1SE8bYbS5hdD33F3a1dRvOgttSW3T3JMbSVJvn7dae7cpygB8KEJ
iQMIn2JOp+WPGmAE7SuIQ0HekSxOC+6qU0Y0pXlnqanTA1may6N2vYac80f9Lt9Y
AtPuJ3JIiTqzY2DCq/w0honCTSZE1D8JoPGc4vUalzIVM4kHGSbfmA==
=JFW1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPjVAASh9+71yA2DNAQErBQP/bIEuuuu3EgEJCpjNB+IzK9uk0KXJUxCx
eHUuhXoHgKMJ80x73N44VoiOBsRnFj97M9Fa9iz0dT7Riw/IMzdVwIqaSWsQCxf1
+erAn/3O2ohSifPMEnF4Kf4ryKJ3IouLU33BhOjiPCD7DFnRgaFdG8WNzmg0nV6A
AMVIK7eC6qA=
=y2Db
-----END PGP SIGNATURE-----