Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0056 -- Microsoft Security Bulletin MS02-061 Elevation of Privilege in SQL Server Web Tasks (Q316333) 27 January 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SQL Server 7.0 SQL Server 2000 Microsoft Data Engine (MSDE) 1.0 Microsoft Desktop Engine (MSDE) 2000 Vendor: Microsoft Operating System: Windows Impact: Increased Privileges Access Required: Remote Ref: AU-2003.002 ESB-2002.582 ESB-2002.539 ESB-2002.442 ESB-2002.364 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Elevation of Privilege in SQL Server Web Tasks (Q316333) Released: October 16, 2002 Revised: January 26, 2003 (version 2.0) Software: Microsoft(r) SQL Server(tm) 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000. Impact: Elevation of Privileges Max Risk: Critical Bulletin: MS02-061 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-061.asp - - ---------------------------------------------------------------------- Reason for Revision: ==================== Microsoft Security Bulletin is a cumulative security patch for Microsoft SQL Server. As a cumulative patch it includes a fix for a vulnerability first included in Microsoft Security Bulletin MS02- 039, which has been exploited as part of the "Slammer" worm. Customers who have not installed a recent SQL Server security patch (MS02-039, MS02-043, MS02-056 or MS02-061) are strongly encouraged to install this updated patch, which now includes an installer for ease of use. Microsoft originally released this bulletin and patch on October 16, 2002 to correct a security vulnerability in a SQL Server stored procedure. The patch was and still is effective in eliminating the security vulnerability, and includes the fix for the vulnerability exploited by the "Slammer" worm virus (Note: Slammer affects only SQL Server 2000 and MSDE 2000). However, while the patch was fully effective in eliminating the security vulnerability, in October, 2002, it was found to interfere with SQL Server operations under some circumstances. As a result, on October 30, 20002, an additional non-security patch http://support.microsoft.com/default.aspx?scid=kb;en-us;317748 was required to ensure normal operations of SQL Server. In order to simplify the process by which customers update their systems, Microsoft has now re-released the patch for SQL Server 2000. The patch for SQL Server 2000 was re-released to help customers patch their systems in response to the "Slammer" worm virus. The re-released patch integrates the original security patch released with this bulletin and the hotfix discussed in Microsoft Knowledge Base article 317748 that was released to ensure the correct operation of SQL Server. The re-release has been packaged with a new SQL Server patch installer. The installer eliminates the need for system administrators to copy SQL Server files onto their systems manually. The only changes that Microsoft has made to this patch were to incorporate the hotfix discussed in Microsoft Knowledge Base article 317748 into the re-released patch and to package the patch with an installer. Customers who have not already applied the patch originally released with this bulletin should apply the re-released patch. Customers who have already applied to their SQL 2000 systems both the original security patch and patch 317748 do not need to apply this re-released patch - the original patches are effective in ensuring correct operation of SQL Server and in protecting SQL Server systems (including protection from the Slammer worm). Customers who have applied only the original version of this patch should consider applying the patch discussed in Microsoft Knowledge Base article 317748, subject to the caveat discussed in the FAQ and caveats sections below. Issue: ====== The original version of this bulletin released a cumulative patch that included the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000. The original patch also eliminated one newly discovered vulnerability in a SQL Server stored procedure. SQL Server 7.0 and SQL Server 2000 provide stored procedures which are collections of Transact-SQL statements stored under a name and processed as a group. One stored procedure, an extended stored procedure and weak permissions on a table combine to allow a low privileged user the ability to run, delete, insert or update web tasks. An attacker who is able to authenticate to a SQL server could delete, insert or update all the web tasks created by other users. In addition, the attacker could run already created web tasks in the context of the creator of the web task. This typically runs in the context of the SQL Server Agent service account. Mitigating Factors: ==================== - - -It is necessary to be an authenticated user of the SQL Server. - - -Exploiting this vulnerability could allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges. - - -Web tasks have to exist in the first place. Risk Rating: ============ Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-003.asp for information on obtaining this patch. Acknowledgment: =============== Microsoft thanks David Litchfield of Next Generation Security Software Ltd. for reporting this issue to us and working with us to protect customers. We would also like to thank Martin Rakhmanoff (jimmers@yandex.ru) for contributing to the investigation. - - ------------------------------------------------------------------- - - -- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPjOhg40ZSRQxA/UrAQGGhwf/T/t0K/XTIqszqT9I3fKC1J5EWZGR/LUL aR1gNCD+2QZtvufM2pRt5+7WN236kFkDxE4s1HPb6nT/tEQafW+UJSsBFV7ZqNZY OCTGxwpSKd9fHVA0cehxFmw3ERQgweBkrfolreNt4jqIEsLc/qK2IMQTeJ9EjmDA MyBynv7i35lD1SE8bYbS5hdD33F3a1dRvOgttSW3T3JMbSVJvn7dae7cpygB8KEJ iQMIn2JOp+WPGmAE7SuIQ0HekSxOC+6qU0Y0pXlnqanTA1may6N2vYac80f9Lt9Y AtPuJ3JIiTqzY2DCq/w0honCTSZE1D8JoPGc4vUalzIVM4kHGSbfmA== =JFW1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPjVAASh9+71yA2DNAQErBQP/bIEuuuu3EgEJCpjNB+IzK9uk0KXJUxCx eHUuhXoHgKMJ80x73N44VoiOBsRnFj97M9Fa9iz0dT7Riw/IMzdVwIqaSWsQCxf1 +erAn/3O2ohSifPMEnF4Kf4ryKJ3IouLU33BhOjiPCD7DFnRgaFdG8WNzmg0nV6A AMVIK7eC6qA= =y2Db -----END PGP SIGNATURE-----