Security Bulletin

Microsoft Security Bulletin MS01-032 - Critical

SQL Query Method Enables Cached Administrator Connection to be Reused

Published: June 12, 2001 | Updated: June 23, 2003

Version: 1.2

Originally posted: June 12, 2001
Updated: June 23, 2003

Summary

Who should read this bulletin:
System administrators using Microsoft® SQL Server™

Impact of vulnerability:
Privilege elevation

Recommendation:
Administrators running SQL Server in Mixed Mode should apply the patch.

Affected Software:

• Microsoft SQL Server 7.0
• Microsoft SQL Server 2000 Gold

General Information

Technical details

Technical description:

When a client connection to a SQL Server is terminated, it remains cached for a short period of time for performance reasons. One SQL query method contains a flaw that has the effect of making it possible for one user's query to reuse a cached connection that belonged to the sa account.

Exploiting this vulnerability would enable an attacker to execute the query using the administrator's security context. This would give her the ability to take any desired action on the database; moreover, it would give her the ability to run extended stored procedures, thereby giving her the opportunity to run code of her choice and assume de facto control of the server itself.

Mitigating factors:

• The vulnerability only affects servers configured to use Mixed Mode. Microsoft strongly recommends against using Mixed Mode, and recommends using Windows Authentication mode instead. Customers who have configured their servers to use Windows Authentication mode are not affected by this vulnerability.
• Terminated connections are only cached for a short period. The attacker would need to time her attack in order to occur during the period when an administrator's connection was in the cache.
• The query method at issue here can only be executed by an authenticated user. Not only would this limit the number of users who could exploit the vulnerability, it also would allow the action to be audited.

Vulnerability identifier: CAN-2001-0344

Tested Versions:

Microsoft tested SQL Server 7.0 and SQL Server 2000 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

Frequently asked questions

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. If an attacker successfully exploited the vulnerability, she could gain complete control of an affected database server. This would give her the ability to take any desired action on the server. Exploiting the vulnerability would be a daunting challenge:

• It only affects SQL Servers that are configured in a mode that Microsoft recommends against using.
• It could only be exploited by a user who already had authorization to access the database
• The attacker would need to time her attack to occur immediately after an administrator performed a database operation.

What causes the vulnerability?
The vulnerability results because of an error in one particular SQL query method. When SQL Server is configured to operate in Mixed Mode, an attacker could potentially use this query method to gain access to a cached connection that once belonged to an administrator. If the attacker successfully did this, she would gain administrative control over the database server.

What do you mean by a query method?
Query methods are commands provided by SQL Server for interrogating a database. The vulnerability at issue here is only exposed via one of the hundreds of query methods in SQL Server, and even then only when the server is configured to operated in Mixed Mode.

What is Mixed Mode?
SQL Server supports two modes for authenticating users, Mixed Mode and Windows Authentication Mode. In Mixed Mode, clients are authenticated using Windows credentials if possible; otherwise, the client authenticates via SQL Server Authentication, using username and password information that is stored locally in the SQL Server database. The most common use of Mixed Mode is when SQL Server is hosted on a Windows® 95 or 98 machine. In contrast, Windows Authentication mode requires authentication to be performed using Windows NT® (or Windows 2000) credentials. This is far more secure, and Microsoft strongly recommends that Windows Authentication Mode be used whenever possible. Customers who use Windows Authentication Mode would not be affected by this vulnerability.

You said that the vulnerability could enable an attacker to reuse a cached connection. What is a cached connection?
Before a user can levy requests on a SQL Server database, a connection between the user and the server must be established. When the SQL session is complete, the connection is broken. However, SQL Server retains the connection in a cache for a short period for performance reasons - if the same user creates a new connection, the cached one can be reused rather than creating it anew. This vulnerability could enable an attacker to reuse someone else's cached connection - specifically, one that was created by an administrator.

So, this vulnerability could enable an attacker to recover an administrator's cached credentials, but only if the server were operating in Mixed Mode?
Yes. If the attacker used the particular query method that contains the error, and the server were operating in Mixed Mode, and a connection belonging to an administrator happened to be in the cache at the time of the attack, the attacker could designate that the query be performed using the administrator's cached connection.

What would this enable the attacker to do?
The ability to execute a query method using an administrator's connection would grant administrative privileges to the query. This would enable the attacker to take any desired action on the database, thereby giving her an opportunity to add, create or modify any data in the database. In addition, because queries can be used to execute programs called extended stored procedures, exploiting the vulnerability could also enable the attacker to run code of her choice on the machine. This would give her de facto control of the server.

How difficult would it be to exploit this vulnerability?
It could be quite difficult. As we discussed above, it would require that the server be configured in a particular way and that the attacker have pinpoint timing. Neither of these factors would be under the attacker's control, so it's likely that this vulnerability could only be used against targets of opportunity.

Who could exploit the vulnerability?
The particular query method at issue here can only be used by authenticated users. As a result, the attacker would need authorization to levy queries against the database in order to exploit the vulnerability. This is significant for two reasons: it limits the number of users who could attack a vulnerable machine, and it means that the attacker's actions could be audited.

What does the patch do?
The patch eliminates the vulnerability by restoring proper operation to the affected query method, thereby preventing it from reusing other users' cached connections.

What if I don't want to apply the patch -- is there a workaround?
Yes, however, this workaround should only be used if you cannot upgrade to SQL Server 7.0 SP3 and apply the patch provided -- and if you are not currently using replication or do not use or intend to use ad hoc named queries. Using SQL Server Enterprise Manager:

1. Click on the security tab under the SQL Server instance.
2. Right click on the linked servers to bring up the general properties tab.
3. Select the radio button next to "Other Data Source" and then pick "Microsoft OLE DB Provider for SQL Server" in the Provider Name drop down list.
4. Click the "Provider Options" button
5. Add a check to "disallow Ad Hoc queries" check box.

Patch availability

Download locations for this patch

• Microsoft SQL Server 2000 and SQL Server 7.0:
  https://support.microsoft.com/support/kb/articles/Q299/7/17.asp

Additional information about this patch

Installation platforms:

The patches can be installed on systems running SQL Server 7.0 with Service Pack 3 or SQL Server 2000 Gold.

Inclusion in future service packs:

The fix for SQL Server 2000 will be included in Service Pack 1.

Superseded patches:

None.

Verifying patch installation:

• You can verify if the patch is installed by issuing a "SELECT @@version" (without quotes) from OSQL, SQL Server Query Analyzer, or ISQL. For SQL Server 7.0 the version should be 7.00.996 or greater and for SQL Server 2000 the version should be 8.00.296 or greater.

Caveats:

None

Localization:

None. Both patches will install on all Microsoft SQL Server languages.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Support:

• Microsoft Knowledge Base article Q299717 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (June 12, 2001): Bulletin Created.
• V1.1 (June 13, 2003): Updated download links to Windows Update.
• V1.2 (June 23, 2003): Updated SQL security link in Frequently Asked Questions.

Built at 2014-04-18T13:49:36Z-07:00