Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Microsoft Security Bulletin MS00-048 - Critical

Patch Available for 'Stored Procedure Permissions' Vulnerability

Published: July 07, 2000

Version: 1.0

Originally Posted: July 7, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0. The vulnerability could allow a malicious user to run a database stored procedure without proper permissions.

Affected Software:

  • Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0

Vulnerability Identifier: CVE-2000-0603

General Information

Technical description:

Execute permission checks on stored procedures may be bypassed when a stored procedure is referenced from a temporary stored procedure. This omission would allow a malicious user to run a stored procedure that, by design, he should not be able to access.

The vulnerability only occurs under a fairly restricted set of conditions:

  • The database must be owned by the system administrator (sa) login account.
  • The affected stored procedure must be owned by the dbo user.
  • The malicious user must be able to authenticate to the SQL Server, and have user access to the referenced database.

Although sa is a built-in administrator login, it should not be used routinely. Instead, system administrators should be made members of the sysadmin fixed server role, and log on using their own logins instead. Use sa only when there is no other way to log in to SQL Server; for example, when other system administrators are unavailable, or have forgotten their passwords.

What's this bulletin about?
Microsoft Security Bulletin MS00-048 announces the availability of a patch that eliminates a vulnerability in Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0. The vulnerability could allow a malicious user to run stored procedures without having proper permissions. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could allow a malicious user to run stored procedure code on a SQL Server or MSDE database that he does not have permissions to run. The code could be used to run various tasks ranging from maintaining database records to adding or deleting users from a database.
The vulnerability could only be exploited under these conditions:

  • The database must be owned by the system administrator (sa) login account.
  • The affected stored procedure must be owned by the dbo user.
  • The malicious user must be able to authenticate to the SQL Server or MSDE database, and have user access to the referenced database.

What causes the vulnerability?
When a temporary stored procedure calls another stored procedure whose database owner is the system administrator account (the "sa" login account), normal permission checks are bypassed. Because any valid SQL Server or MSDE user can create a temporary stored procedure, this vulnerability would enable a malicious user to execute any stored procedure owned by the dbo user.

What is a stored procedure?
A stored procedure (also known as a "stored proc") is a precompiled collection of Transact-SQL (Structured Query Language) statements stored under a name and processed as a unit. Stored procedures are available for managing SQL Server and displaying information about databases and users.

What is a temporary stored procedure?
A temporary stored procedure is one that exists only during a single user session. Temporary stored procedures are located in the temporary database, tempdb (storage area for temporary objects within a database), and are created by prefacing the procedure name (in the CREATE statement) with a number sign ("#").
An example of a simple temporary stored procedure is:

CREATE PROCEDURE #author_sel AS
SELECT *
FROM authors

What's the problem with stored procedures?
In most cases, permission checking occurs as one would expect - before SQL Server will allow a user to execute a stored procedure, it verifies that he has permission to do so. However, in one particular case - when a stored procedure, owned by the dbo user, is executed via a temporary stored procedure - the expected permission checking doesn't occur. This could give a malicious user a way to execute a stored procedure that he otherwise wouldn't be able to.

Who is the dbo user and why is it different from sa login account?
Any member of the sysadmin (administrative role within SQL Server) fixed server role is mapped to a special user inside each database called dbo. Any object created by any member of the sysadmin fixed server role belongs to dbo automatically. The system administrator (sa) login account is a member of the sysadmin fixed server role by default.

How could a malicious user exploit this vulnerability?
Suppose that the dbo user within database ABC, of SQL Server XYZ, has written several stored procedures that let him perform maintenance on the server. Now suppose that Joeuser has an account on the same server and was given access to the ABC database. Joeuser could create a temporary stored procedure that executes one of the dbo's stored procedures in database ABC. By design, Joeuser's temporary stored procedure should not be able to run the administrator's procedure, but the vulnerability would enable it to do so.

Are all databases affected by this vulnerability?
Only databases that are owned by sa login account are affected by this vulnerability. It is imperative that the sa login account be used only for specific SQL Server administrative tasks. A SQL Server administrator should not use the sa account when assigning ownership to a database. If a newly created database is owned by the sa account Microsoft recommends changing the ownership to a different account.
All system databases have built-in stored procedures (system stored procedures) that are prefaced by an "sp_". By default, all system databases are owned by the sa account. Furthermore, all system stored procedures and system databases are also documented. This could potentially allow a malicious user to exploit this vulnerability on those databases.
(More detailed information on this FAQ can be found in the Microsoft SQL Server 7.0 Books online).

What is MSDE?
MSDE is a database engine based on SQL Server technologies that is included in certain versions of Microsoft Office 2000 and Microsoft Visual Studio 6.0, and may be redistributed by third party software suppliers.

How do I tell I have MSDE installed on my computer?
From the command prompt, launch Regedit.exe or Regedt32.exe. If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer is defined, then you have MSDE or SQL Server installed.

Who should use the patch?
Since system databases are affected by default, Microsoft recommends that anyone running SQL Server 7.0 or MSDE 1.0 consider installing this patch.

What does the patch do?
The patch eliminates the vulnerability by properly checking execute permissions on all stored procedures referenced by any temporary stored procedures.

How do I use the patch?
Knowledge Base article Q266766 contains detailed instructions for applying the patch to your site.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How can I tell if I installed the patch correctly?
The Knowledge Base article Q266766 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

  • Microsoft has developed a procedure that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft has issued a Knowledge BaseQ266766 article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

  • Microsoft Knowledge Base (KB) article, Q266766

Other information:

Acknowledgments

Microsoft thanks  Adina Reeve of Sequiturcorp for reporting this issue and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

July 7, 2000: Bulletin Created.

Built at 2014-04-16T02:39:51Z-07:00

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.