Security Bulletin MS02-040: Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise (Q326573)

2002-08-03T00:00:00
ID SECURITYVULNS:DOC:3312
Type securityvulns
Reporter Securityvulns
Modified 2002-08-03T00:00:00

Description


Title: Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise (Q326573) Date: 31 July 2002 Software: Microsoft Data Access Components Impact: Run code of attacker's choice Max Risk: Moderate Bulletin: MS02-040

Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-040.asp.


Issue:

The Microsoft Data Access Components (MDAC) provide a number of supporting technologies for accessing and using databases. Included among these functions is the underlying support for the T-SQL OpenRowSet command. A security vulnerability results because the MDAC functions underlying OpenRowSet contain an unchecked buffer.

An attacker who submitted a database query containing a specially malformed parameter within a call to OpenRowSet could overrun the buffer, either for the purpose of causing the SQL Server to fail or causing the SQL Server service to take actions dictated by the attacker.

Mitigating Factors:

  • In order to exploit the vulnerability, the attacker would need the ability to load and execute a database query on the server. This is strongly discouraged by best practices, and servers that have been configured to prevent this (e.g., through the use of the DisallowAdhocAccess registry setting, as discussed in the FAQ) would not be at risk from the vulnerability.
  • Under default conditions, the system-level privileges gained through a successful attack would be those of a Domain User.
  • Even though MDAC ships as part of all versions of Windows, the vulnerability can only be exploited on SQL Servers. Customers who are not using SQL Server do not need to take action, despite the fact that MDAC may be installed on their systems.

Risk Rating:

  • Internet systems: Moderate
  • Intranet systems: Moderate
  • Client systems: None

Patch Availability:

  • A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-040.asp for information on obtaining this patch.

Acknowledgment:

  • David Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com/)

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.