Microsoft Security Bulletin MS02-056

Technical description:

This security patch does not contain a patch from Microsoft Knowledge Base Article 317748 that is required to ensure normal operation of SQL Server 2000 and MSDE 2000. If you have applied this security patch to a SQL Server 2000 or MSDE 2000 installation prior to applying the hotfix from Microsoft Knowledge Patch article 317748, you must answer "no" if and when prompted to overwrite files to ensure that you do not overwrite files from the security patch.

This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, and Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 2000. In addition, it eliminates four newly discovered vulnerabilities.

• A buffer overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated with user authentication. By sending a specially malformed login request to an affected server, an attacker could either cause the server to fail or gain the ability to overwrite memory on the server, thereby potentially running code on the server in the security context of the SQL Server service. It would not be necessary for the user to successfully authenticate to the server or to be able to issue direct commands to it in order to exploit the vulnerability.
• A buffer overrun vulnerability that occurs in one of the Database Console Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server.
• A vulnerability associated with scheduled jobs in SQL Server 7.0 and 2000. SQL Server allows unprivileged users to create scheduled jobs that will be executed by the SQL Server Agent. By design, the SQL Server Agent should only perform job steps that are appropriate for the requesting user's privileges. However, when a job step requests that an output file be created, the SQL Server Agent does so using its own privileges rather than the job owners privileges. This creates a situation in which an unprivileged user could submit a job that would create a file containing valid operating system commands in another user's Startup folder, or simply overwrite system files in order to disrupt system operation

The patch also changes the operation of SQL Server, to prevent non-administrative users from running ad hoc queries against non-SQL OLEDB data sources. Although the current operation does not represent a security vulnerability, the new operation makes it more difficult to misuse poorly coded data providers that might be installed on the server.

Mitigating factors:

Unchecked buffer in SQL Server 2000 authentication function:

• This vulnerability on affects SQL Server 2000 and MSDE 2000. Neither SQL Server 7.0 nor MSDE 1.0 are affected.
• If the SQL Server port (port 1433) were blocked at the firewall, the vulnerability could not be exploited from the Internet.
• Exploiting this vulnerability would allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges.

Unchecked buffer in Database Console Commands:

• Exploiting this vulnerability would allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges.
• The vulnerability could only be exploited by an attacker who could authenticate to an affected SQL Server or has permissions to execute queries directly to the server
• The vulnerability could only be exploited by an attacker who could authenticate to an affected SQL Server.

Flaw in output file handling for scheduled jobs:

• The vulnerability could only be exploited by an attacker who could authenticate to an affected SQL server.

Severity Rating:

Unchecked buffer in SQL Server 2000 authentication function:

Unchecked buffer in Database Console Commands:

Flaw in output file handling for scheduled jobs:

Aggregate Severity of all issues included in this patch (including issues addressed in previously released patches):

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifiers:

• Unchecked buffer in SQL Server 2000 authentication function: CAN-2002-1123
• Unchecked buffer in Database Console Commands: CAN-2002-1137
• Flaw in output file handling for scheduled jobs: CAN-2002-1138

Tested Versions:

Microsoft tested SQL Server 2000 and SQL Server 7.0 (and their associated versions of MSDE) to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What is the correct order for installing this patch in conjunction with the hotfix discussed in 317748? 
This security patch does not contain a patch from Knowledge Base Article 317748 that is required to ensure normal operation of SQL Server 2000 and MSDE 2000. The correct order of installation is to install the 317748 patch and then this security patch. If you have applied this security patch to a SQL Server 2000 or MSDE 2000 installation prior to applying the hotfix from Knowledge Patch article 317748, you must answer "no" if and when prompted to overwrite files to ensure that you do not overwrite files from the security patch.

How do I check I've got this security patch installed?
You should verify that the version of ssnetlib.dll in the \MSSQL\BINN folder for the instance you applied the patch for is: 2000.80.679.0
If the version of the ssnetlib.dll in the \MSSSQL\BINN folder is less than 2000.80.636.0, then you will need to re-apply the security patch. However Microsoft recommends that you apply the latest security patch as described in MS02-061 since this contains fixes for additional security vulnerabilities in these products.

What vulnerabilities does this patch eliminate? 
This is a cumulative patch that, when applied, address all previously addressed vulnerabilities. In addition, it eliminates three new vulnerabilities:

• A vulnerability that could enable an attacker to gain control over a SQL Server 2000 database.
• A new variant of a vulnerability originally discussed in Microsoft Security Bulletin MS02-038, through which an already authenticated user could gain additional privileges on a SQL Server.
• A vulnerability through which a user could potentially cause a program to run when another user subsequently logged onto the system or overwrite files that the SQL Server Agent service would otherwise have access to.

Is this patch cumulative? 
This patch does supersede all previously released security patches involving the SQL Server 7.0 and SQL Server 2000 database engines. However, applying this patch is not sufficient by itself to fully secure a SQL Server:

• One security fix for SQL Server 2000, discussed in Microsoft Security Bulletin MS02-035, requires remediation via a tool rather than a patch. The tool only needs to be run one time, so customers who have previously run it do not need to take additional action. However, installing this patch does not cause the tool to be run.
• The patch does not include any fixes for security vulnerabilities involving the Microsoft Data Access Components (MDAC) or Online Analytic Processing (OLAP) technologies for SQL Server. The patches for these issues (listed in the Caveats section below) must be applied separately.

The Affected Versions section says that Microsoft Desktop Engine (MSDE) is also affected by these vulnerabilities. What is MSDE? 
Microsoft Desktop Engine (MSDE) is a database engine that's built and based on SQL Server technology, and which ships as part of several Microsoft products, including Microsoft Visual Studio and Microsoft Office Developer Edition. There is a direct connection between versions of MSDE and versions of SQL Server. MSDE 1.0 is based on SQL Server 7.0; MSDE 2000 is based on SQL Server 2000.

Does the patch include any other fixes? 
The patch also fixes an issue that, while not a security vulnerability per se, could nevertheless aid an attacker in taking advantage of a poorly configured system. Specifically, the patch changes the operation of SQL Server to restrict unprivileged users to only performing queries against SQL Server data. In the case where a non-SQL data provider had been installed on the system, and the driver for the provider did not enforce proper security, this change would help prevent unprivileged users from abusing the situation.

Unchecked buffer in SQL Server 2000 authentication function (CAN-2002-1123):

What's the scope of this vulnerability?
This is a buffer overrun vulnerability. By sending a specially malformed login request to an affected server, an attacker could either cause the SQL Server service to fail or gain control over the database. It would not be necessary for the user to successfully authenticate to the server in order to exploit the vulnerability.
This vulnerability only affects SQL Server 2000 and MSDE 2000. Although the vulnerability would provide a way to gain control over the database, it would not, under default conditions, grant the attacker significant privileges at the operating system level.

What causes the vulnerability? 
The vulnerability results because a function in SQL Server 2000 (and MSDE 2.0) that handles authentication requests contains an unchecked buffer. By calling this function with specially chosen parameters, an attacker could cause a buffer overrun condition to occur.

What authentication requests are you referring to? 
Depending on how the server is configured, it may use either of two methods to authenticate users - SQL Server authentication, or Windows Authentication. However, before the actual authentication process takes places, SQL Server exchanges some preliminary information. The vulnerability lies in one of the functions involved in this preliminary exchange.

What's wrong with the authentication function? 
The function suffers from an unchecked buffer. Because of this, it could be possible for an attacker to initiate a preliminary exchange in a way that would overrun the buffer, thereby overwriting memory within the SQL Server service in the process.

What could this vulnerability enable an attacker to do? 
An attacker who was able to successfully exploit this vulnerability could do either of two things. If he or she provided random data, the effect of overwriting the service's memory would be to cause it to fail. In the case, the administrator could restore normal operation by restarting the SQL Server.
On the other hand, by providing carefully chosen data, the attacker could modify the SQL Server service to perform new functions he or she chose. The effect would be to give the attacker full control over the SQL server, and enable him or her to add, delete or modify data; reconfigure SQL Server parameters, or take any other desired action on the database.

Who could exploit the vulnerability? 
Any user who could engage in an authentication attempt with an affect SQL Server - whether the attempt was successful or not - could exploit the vulnerability.

Does that mean that the attacker wouldn't need a valid SQL Server userid and password to exploit the vulnerability?
Correct. Because of where the vulnerability resides within the authentication function, the attacker would not need to be able to log onto the server - he or she would only need to be able to deliver the data packets that signify the start of an authentication attempt.

Could the vulnerability be exploited from the Internet? 
It would depend on whether the attacker could engage in an authentication exchange. To do this, the SQL Server port (port 1433) would need to be open at the firewall. If the port were closed (as it should be unless absolutely necessary), an attacker could not exploit this vulnerability from the Internet.

I'm running SQL Server 7.0. Could I be affected by this vulnerability? 
No. It affects only SQL Server 2000 (and MSDE 2000); it doesn't affect SQL Server 7.0 (or MSDE 1.0). However, SQL Server 7.0 administrators should still install the patch, as other vulnerabilities discussed in this bulletin do affect SQL Server 7.0.

How does the patch address this vulnerability? 
The patch institutes proper buffer checking the authentication function.

Unchecked buffer in Database Console Commands (CAN-2002-1137):

What's the scope of this vulnerability?
This is a new variant of a vulnerability originally reported in Microsoft Security Bulletin MS02-038. Like the original vulnerability, this is a buffer overrun vulnerability, through which it could be possible for an attacker to either cause the SQL Server to fail or gain complete control over the database.

What causes the vulnerability? 
The vulnerability results because one of the Database Console Command (DBCC) utilities provided as part of SQL Server contains unchecked buffers in the section of code that handle user inputs.

What is the Database Console Command (DBCC)?
DBCC's are utility programs provided as part of SQL Server 2000. Their purpose is to provide database administrators with an easy way to perform common housekeeping tasks. For instance, DBCCs are available to defragment databases, repair minor errors, show usage statistics, and so forth. A complete listing of the DBCCs available as part of SQL Server 2000 is included in the SQL Server 2000 online help facility.

How is this vulnerability different from the DBCC vulnerabilities discussed in Security Bulletin MS02-038? 
This vulnerability is identical to the DBCC vulnerabilities discussed in Microsoft Security Bulletin MS02-038 with one exception. Unlike the DBCCs discussed in MS02-038, the one affected by this variant could be executed by any SQL user.

How does the patch address the vulnerability? 
The patch institutes proper buffer handling in the affected DBCC.

Flaw in output file handling for scheduled jobs(CAN-2002-1138):

What's the scope of this vulnerability?
This vulnerability could enable an attacker to do either of two things: create a program that would subsequently be executed when another user logged onto the server, or corrupt system files in an effort to disrupt system operation.
The vulnerability could only be exploited by an attacker who could authenticate to the SQL server. In addition, in the first attack scenario discussed above, the effect of exploiting the vulnerability would depend on the specific privileges of the user who subsequently logged onto the system.

What causes the vulnerability? 
The vulnerability results because, when the SQL Server Agent creates an output file as part of a scheduled job, it does so using its own privileges rather than those of the user who owns the job or a configured proxy account if the job owner is not a system administrator (sysadmin server role member) in SQL Server or if the job owner is a standard SQL server user.

What is the SQL Server Agent? 
The SQL Server Agent is responsible for running scheduled jobs, restarting the database service and other administrative operations.

What's a scheduled job? 
Scheduled jobs provide a way to cause the SQL Server to take a designated action at a particular time. Scheduled jobs are frequently used by administrators to perform regularly scheduled maintenance tasks such as backups.

Who can create scheduled jobs? 
Any user can create a scheduled job, but the SQL Server Agent will only execute a particular job step if the requester has appropriate privileges.

What's wrong with the way the SQL Server Agent processes scheduled jobs? 
By design, all job steps in a scheduled job should be carried out using the privileges of the person who submitted the job or, in some cases, those of a proxy account. However, when a job calls for an output file to be created, the SQL Server Agent does so using its own privileges. Because the SQL Server Agent service account is often configured with Windows administrative privileges, this allows a job to create a file anywhere on the system, regardless of the user's privileges.

What could this vulnerability enable an attacker to do? 
An attacker who successfully exploited the vulnerability could create a file on the system, for either of two purposes:

• Disrupting system operation. By overwriting system files with random data, the attacker could potentially cause the system to fail.
• Causing other users to run program's of the attacker's choice. By creating an output file that contained valid operating system commands, and placing it in the appropriate folder (e.g., another user's Startup folder), the attacker could cause the commands to be execute the next time another user logged onto the system.

How could an attacker exploit this vulnerability? 
An attacker would only need the ability to log onto an affected server to exploit the vulnerability. He or she could then create a scheduled job that creates an output file, submit it, and thereby exploit the vulnerability.

If the attacker overwrote system files, what would be needed in order to resume normal operation? 
It would depend on which files were overwritten. It might only require that the administrator restart the service. However, in the worst case, the administrator might need to restore system files using an emergency repair disk.

If the attacker created a program in another user's Startup folder, what could it do? 
It would depend on the privileges the user had. Anything the user could do, the program also could do.

How does the patch address the vulnerability? 
The patch causes SQL Server Agent to use the job owner's credentials if the connection is a Windows Authenticated user, or the proxy account's credentials if the connection is a SQL Server authenticated user, when determining who has the right to produce an output file from a job step. As a result, users' jobs will still be able to create output files, but only in areas where the user or the proxy account's privileges permit.

Download locations for this patch

• Microsoft SQL Server 7.0:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;327068&sd=tech

• Microsoft SQL Server 2000:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech