Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

Microsoft SQL Server: Cumulative Patch Released

July 24, 2003

To determine if you should apply this patch, download AppDetective™ for Microsoft SQL Server from http://www.appsecinc.com/products/appdetective/mssql/

Risk Level: Medium

Versions Affected: All Versions of Microsoft SQL Server and MSDE

Summary:
A cumulative patch has been released which address three security vulnerabilities in Microsoft SQL Server. For additional details:
http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
http://www.atstake.com/research/advisories/2003/a072303-3.txt
http://www.atstake.com/research/advisories/2003/a072303-2.txt

Named Pipe Hijacking:

One of the communication mechanisms supported by Microsoft SQL Server is Named Pipes. An error in the authentication mechanism of SQL Server's named pipe allows an attacker that is a local user to hijack or steal a named pipe from another user. This can be used by an attacker to gain full control of the database.

The attacker would need to be an authenticated user on the local operating system to exploit this hole.

Named Pipe DoS:

A malicious packet sent to the named pipe on which SQL Server listens can cause the named pipe to stop functioning resulting in a denial of service.

The vulnerability occurs because of an error in the method SQL Server uses to handle the return code from a specific named pipes operation. When a large amount of data is received, an error is generated and the service stops responding.

Buffer overflow in LPC:

Another of the communication mechanisms supported by Microsoft SQL Server is Local Procedure Calls. Local Procedure Call (LPC) is a message-passing service that provides a method of communicating between threads and processes on a server.

A malicious message sent to SQL Server through the LPC mechanism can corrupt the server memory resulting in executing malicious code. The vulnerability is caused by an error in the way SQL Server validates requests to the LPC port on which it listens.

To exploit this vulnerability, an attacker would need valid credentials to interactively log on to the system and would need to have access to the local operating system.

Fix:
For SQL Server 7.0, you must install:
- Service Pack 4 with hot fix 7.00.1094

The hot fix for SQL Server 7.0 can be downloaded from
http://microsoft.com/downloads/details.aspx?FamilyId=FE5B0892-A5C9-44C2-9B42-0D291E9C1636&displaylang=en

For SQL Server 2000, you must install:
- Service Pack 3 (8.00.760) with hot fix 8.00.818

The hot fix for the 32-bit version of SQL Server 2000 can be downloaded from
http://microsoft.com/downloads/details.aspx?FamilyId=9814AE9D-BD44-40C5-ADD3-B8C99618E68D&displaylang=en

The hot fix for the 64-bit version of SQL Server 7.0 can be downloaded from
http://microsoft.com/downloads/details.aspx?FamilyId=72336508-057A-4E86-8F2E-CB1BD3A6A44B&displaylang=en