Microsoft Security Bulletin MS02-061

Technical description:

Microsoft originally released this bulletin and patch on October 16, 2002 to correct a security vulnerability in a SQL Server stored procedure. The patch was and still is effective in eliminating the security vulnerability, and includes the fix for the vulnerability exploited by the "Slammer" worm virus (Note: Slammer affects only SQL Server 2000 and MSDE 2000). However, while the patch was fully effective in eliminating the security vulnerability, in October, 2002, it was found to interfere with SQL Server operations under some circumstances. As a result, on October 30, 2002, an additional non-security hotfix (317748) was required to ensure normal operations of SQL Server.

In order to simplify the process by which customers update their systems, Microsoft has now re-released the patch for SQL Server 2000. The patch for SQL Server 2000 was re-released to help customers patch their systems in response to the "Slammer" worm virus. The re-released patch integrates the original security patch released with this bulletin and the hotfix discussed in Microsoft Knowledge Base article 317748 that was released to ensure the correct operation of SQL Server. The re-release has been packaged with a new SQL Server patch installer. The installer eliminates the need for system administrators to copy SQL Server files onto their systems manually. The only changes that Microsoft has made to this patch were to incorporate the hotfix discussed in Microsoft Knowledge Base article 317748 into the re-released patch and to package the patch with an installer.

Customers who have not already applied the patch originally released with this bulletin should apply the re-released patch. Customers who have already applied to their SQL 2000 systems both the original security patch and hotfix 317748 do not need to apply this re-released patch - the original patches are effective in ensuring correct operation of SQL Server and in protecting SQL Server systems (including protection from the Slammer worm). Customers who have applied only the original version of this patch should consider applying the hotfix discussed in Microsoft Knowledge Base article 317748, subject to the caveat discussed in the FAQ and caveats sections below.

The original version of this bulletin released a cumulative patch that included the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000. The original patch also eliminated one newly discovered vulnerability in a SQL Server stored procedure.

SQL Server 7.0 and SQL Server 2000 provide stored procedures which are collections of Transact-SQL statements stored under a name and processed as a group. One stored procedure, an extended stored procedure and weak permissions on a table combine to allow a low privileged user the ability to run, delete, insert or update web tasks.

An attacker who is able to authenticate to a SQL server could delete, insert or update all the web tasks created by other users. In addition, the attacker could run already created web tasks in the context of the creator of the web task. This typically runs in the context of the SQL Server Agent service account.

Mitigating factors:

• It is necessary to be an authenticated user of the SQL Server.
• Exploiting this vulnerability could allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges.
• Web tasks have to exist in the first place.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. This issue received a critical rating because an authenticated user could connect to a SQL Server and insert, delete or update web tasks. When this bulletin was re-released in January 2003, the severity rating was changed to reflect the new Microsoft Security Bulletin Severity Rating System.

Vulnerability identifier: CAN-2002-1145

Tested Versions:

Microsoft tested SQL Server 7.0 and SQL Server 2000 (and their associated versions of MSDE) to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Microsoft has re-released the SQL 2000 patch since it was first released. What are the changes in the re-released patch?
The SQL 2000 patch has been changed in two ways:

1. The patch has been incorporated into a self installing package - the original patch did not use an installer.
2. The re-released patch includes a fix for a problem unrelated to security that could under some circumstances interfere with normal operation of SQL Server This problem is discussed in Microsoft Knowledge Base article Q317748. The fix for this problem has been included in this re-released patch to remove the requirement for administrators to install the hotfix from Knowledge Base Article Q317748 separately.

I have already applied the original SQL 2000 patch. Do I need the re-released patch? 
No - the original patch is fully effective in correcting security vulnerabilities, including the vulnerability exploited by the "Slammer" worm virus. However, you may need to install the hotfix from Knowledge Base article Q317748 that corrects a problem which may affect the normal operation of SQL Server. For information on this issue please review Microsoft Knowledge Base article Q317748.

Are there any issues I should be aware when applying the hotfix described by Microsoft Knowledge Base article Q317748? 
Yes - if you install the hotfix discussed in Microsoft Knowledge Base article Q317748 AFTER you have installed the original patch released with this security bulletin, a dialog box will ask whether you want to overwrite existing files. You must answer "No" to ensure that you do not overwrite files contained in the security patch.

I thought that the SQL Server 2000 patch in Microsoft Security Bulletin MS02-039 corrected the vulnerability being exploited by the "slammer" virus. Why is Microsoft recommending that this patch be applied? 
This patch is the most recent SQL cumulative security patch available for SQL Server 2000 and it contains a number of other critical security fixes as well as the fix for the vulnerability exploited by the "slammer" virus.

How do I tell if I have MSDE or SQL Server 2000 installed on my system? 
Go to "Start" then "Search" and search the local system for the file "sqlservr.exe". If this file is present on your system, then you have MSDE or SQL Server installed. Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533, you are running SQL Server 2000 or MSDE 2000. In this case, you must install SQL Server SP2 before you install this patch.
If the product version is between 8.00.0534 and 8.00.0636, you are running SQL Server 2000 or MSDE 2000 and need to install the patch discussed by this bulletin. You can also address this issue by installing Service Pack 3a.

Where can I obtain the latest Service Pack for either SQL Server 2000 or MSDE?
You may download the latest and most comprehensive update here: http://technet.microsoft.com/en-us/sqlserver/bb331729.aspx

What do I need to do to make sure that my MSDE installation is updated? 
That depends on what product you are using with MSDE. If you are using MSDE with any of the products listed above except Application Center 2000, you need to ensure you have first installed MSDE 2000 Service Pack 2 since this security patch requires Service Pack 2 to be installed. Once you have installed MSDE 2000 Service Pack 2 you need to install the SQL Server 2000 patch.
If you are running Microsoft Application Center 2000, you need to install a version of MSDE Service Pack 2 which is specifically intended to be used with Application Center. This service pack is available at:
http://download.microsoft.com/download/AppCenter2000/MSDESP2/QFE813058.exe.
Once you have installed the Application Center version of MSDE Service Pack 2, you should install the SQL Server 2000 security patch. More information on the Application Center specific version on MSDE 2000 Service Pack 2 is available in Microsoft Knowledge Base article Q813115.

I've already applied SQL Server 2000 Service Pack 3a or MSDE 2000 Service Pack 3a. Am I still at risk from the Slammer Worm Virus? 
No. All of the changes included in the re-released bulletin are included in SQL Server 2000 Service Pack 3a and MSDE 2000 Service Pack 3a.

Why did you only re-release this patch for SQL Server 2000? 
The release of the "Slammer" worm virus made it especially critical for SQL Server 2000 customers to deploy this patch. The patch was repackaged with the new SQL Server installer in order to assist customers in this process.

Where can I find out more about the "Slammer" worm? 
More information about the "Slammer" worm is available at: http://www.microsoft.com/technet/security/alerts/slammer.mspx

What's the scope of the new vulnerability that this cumulative patch addresses? 
This is an elevation of privilege vulnerability that occurs in a Microsoft-provided stored procedure, one extended stored procedure and weak permissions on a table. It is possible for an attacker to execute a SQL Server stored procedure that would run web tasks. Since anyone who could authenticate to the SQL Server could run this stored procedure, it is possible for an attacker to run previously stored web tasks in the context of the person who created them, thereby potentially elevating his or her privileges. Normally, only SQL Server administrators or database operators should be able to run stored procedures.
An attacker would first have to be able to authenticate to the SQL Server, and even then the attacker could not create new web tasks. Also, the database to which the attacker is authenticating must support the use of web tasks.

What is a stored procedure? 
A stored procedure is a precompiled collection of Transact-SQL statements stored under a name and processed as a group. SQL Server supplies stored procedures for managing SQL Server and displaying information about databases and users. SQL Server-supplied stored procedures are called system stored procedures.
When a developer creates an application with SQL Server, the Transact-SQL programming language is the primary programming interface between the developer's applications and the SQL Server database. There are two methods available for storing and executing the programs when using the Transact-SQL programs. You can store the programs locally and create applications that send the commands to SQL Server and process the results, or a developer can store the programs as stored procedures in SQL Server and create applications that execute the stored procedures and process the results.
Stored procedures in SQL Server are similar to procedures in other programming languages in that they can:

• Accept input parameters and return multiple values in the form of output parameters to the calling procedure or batch.
• Contain programming statements that perform operations in the database, including calling other procedures.
• Return a status value to a calling procedure or batch to indicate success or failure (and the reason for failure).

What are SQL Server extended stored procedures? 
Extended stored procedures provide the ability for database designers and administrators to create your their own customized external routines in a programming language such as C or C#. For all intents and purposes, extended stored procedures appear to users as normal stored procedures and are executed in the same way. Database queries can pass data to extended stored procedures which can return results and return status. For instance, among the standard extended stored procedures included with SQL Server are ones that provide e-mail functions. For example:

• xp_startmail, which starts a SQL Mail client session, and
• xp_sendmail, which sends an e-mail or page.

What is a web task? 
Web tasks create a task that produces an HTML document containing data returned by executed queries. In other words, a web developer might create an asp page which needs data from a SQL Server. The asp page would send a web request to the SQL Server to create an http file containing queried data that the asp page can later pick up.

What do web tasks and stored procedures have to do with one another? 
The ability to create web tasks is a system stored procedure.

What causes the vulnerability? 
There is a flaw in the stored procedure to run web tasks where it is possible for a low privileged user to run that stored procedure. In addition, there are weak permissions on the web tasks table that together with the stored procedure could allow an attacker to run, delete or update a web task.

What's wrong with the stored procedure to run web tasks? 
There is a flaw in the way SQL Server handles permissions.

What could this vulnerability enable an attacker to do? 
An attacker could seek to exploit this vulnerability by logging in to a SQL Server and then run the stored procedure for web tasks. An attacker might first query for web tasks and then use the stored procedure to run them. It is also possible for the attacker to delete, update or insert new web tasks in order to escalate privileges.

How could an attacker exploit this vulnerability? 
An attacker could seek to exploit this vulnerability by logging in to a SQL server and then run the stored procedure. Attacker may query for web tasks first then use the stored procedure to run them. Or delete or update the web tasks or insert new ones in order to potentially escalate privileges.

What does the patch do? 
The patch eliminates the vulnerability by putting proper permissions on the stored procedure for running web tasks. The patch also locks down permissions on the table that stores information about web tasks.

I'm not sure whether my SQL Server 2000 system has had the original patch or the new patch installed. How do I check to be sure that my system is protected? 
There are two things to check:

1. If you have installed a version of this patch that protects your SQL 2000 system from security vulnerabilities the product version number of the file ssnetlog.dll should be 8.00.679
2. If you have also applied the hotfix that corrects the issue described in Microsoft Knowledge Base article Q317748 - either by applying the re-released patch or by installing the original patch in combination with the hotfix from Knowledge Base article Q317748 - the product version numbers of ssmslpcn.dll and dbmslpcn.dll should be 8.00.568

Download locations for this patch

Since this bulletin was originally published, Microsoft has made available an re-released patch for SQL 2000 that is packaged with an installer. Details are discussed above in the FAQ.

The re-released SQL 2000 patch is available at the following location:

• http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech

The original patches are available at:

• Microsoft SQL Server 7.0:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;327068&sd=tech

• Microsoft SQL Server 2000:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech