lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F1EF9F1.7000903@atstake.com>
Date: Wed, 23 Jul 2003 17:11:13 -0400
From: "@stake Advisories" <advisories@...take.com>
To: bugtraq@...urityfocus.com
Subject: Microsoft SQL Server local code execution


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                             @stake Inc.
                           www.atstake.com 

                          Security Advisory

 
Advisory Name: Microsoft SQL Server local code execution
 Release Date: 07/23/2003
  Application: Microsoft SQL Server 7, 2000, MSDE
     Platform: Windows NT/2000/XP
     Severity: Local code execution / Denial of Service
       Author: Andreas Junestam (andreas@...take.com)
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0232
    Reference: www.atstake.com/research/advisories/2003/a072303-3.txt


Overview:

Microsoft SQL Server uses LPC (Local Procedure Calls) to
implement some of its inter-processes communication. The
port providing this service can be used by anyone. By sending
a specially crafted message to SQL Server through this port,
an attacker can overwrite certain parts of memory and thus
execute code using the SQL Server's credentials.


Detailed Description:

Microsoft SQL Server uses different ways of communicating with
a client locally, one of them is over a LPC port. This port
can by used by any local user to send information to the SQL
Server service. By sending a specially crafted message to this
port it is possible to overwrite information stored on the
stack. This would allow an attacker to execute code under
SQL Server's credentials thereby escalating privileges. This
would then allow the user to read and write access to the
database files.  If the SQL Server is running under the
Administrator or Local System account this would enable
system compromise.

As with most SQL Server issues MSDE is effected.  MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13


Vendor Response:

Microsoft was contacted on 02/05/2003

Microsoft has a bulletin and patch available:

http://www.microsoft.com/technet/security/bulletin/MS03-031.asp


Recommendation:

Install the vendor patch. If your SQL Server is running under
the Administrator or Local System account consider running SQL
Server under a less privileged account.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0232


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx75pUe9kNIfAm4yEQKqjwCgjN94EPfRFvtLd/4CHGjbW6QU/XIAoLKp
teXQzo5cqxIZY2OcMil/n9AC
=iMTE
-----END PGP SIGNATURE-----




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ