[SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Servidor SQL

Daniela Regina Barbetti daniela em ccuec.unicamp.br
Seg Fev 25 11:24:47 -03 2002 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade remota no Servidor SQL
To: <rnp-alerta em cais.rnp.br>, <rnp-seg em cais.rnp.br>
Date: Fri, 22 Feb 2002 15:10:48 -0300 (EST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin
MS02-007, relacionado `a capacidade do SQL em realizar conexoes remotas.

A vulnerabilidade identificada permite a um atacante causar uma
interrupcao no SQL Server ou mesmo conseguir que codigo malicioso seja
executado no servidor.

Sistemas Afetados:

	Microsoft SQL Server 7.0
	Microsoft SQL Server 2000

Correcoes disponiveis:

	. SQL Server 7.0:
	http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268

	. SQL Server 2000:
	http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333

Identificador do CVE:

	CAN-2002-0056 (http://cve.mitre.org)

Maiores informacoes:

	http://www.microsoft.com/technet/security/bulletin/MS02-007.asp


O CAIS recomenda fortemente aos administradores de sistemas Windows que
atualizem seus sistemas em virtude da gravidade desta vulnerabilidade.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

- ----------------------------------------------------------------------
Title:      SQL Server Remote Data Source Function Contain
            Unchecked Buffers
Date:       20 February 2002
Software:   Microsoft SQL Server
Impact:     Run code of attacker's choice on server
Max Risk:   Moderate
Bulletin:   MS02-007

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp.
- ----------------------------------------------------------------------

Issue:
======
One of the features of Structured Query Language (SQL) in
SQL Server 7.0 and 2000 is the ability to connect to remote data
sources. One capability of this feature is the ability to use
"ad hoc" connections to connect to remote data sources without
setting up a linked server for less-often used data-sources. This
is made possible through the use of OLE DB providers, which are
low-level data source providers. This capability is made possible
by invoking the OLE DB provider directly by name in a query to
connect to the remote data source.

An unchecked buffer exists in the handling of OLE DB provider names
in ad hoc connections. A buffer overrun could occur as a result and
could be used to either cause the SQL Server service to fail, or to
cause code to run in the security context of the SQL Server.
SQL Server can be configured to run in various security contexts,
and by default runs as a domain user. The precise privileges the
attacker could gain would depend on the specific security context
that the service runs in.

An attacker could exploit this vulnerability in one of two ways.
They could attempt to load and execute a database query that calls
one of the affected functions. Conversely, if a web-site or other
database front-end were configured to access and process arbitrary
queries, it could be possible for an attacker to provide inputs that
would cause the query to call one of the functions in question
with the appropriate malformed parameters.

Mitigating Factors:
====================
 - The effect of exploiting the vulnerability would depend on the
   specific configuration of the SQL Server service. SQL Server
   can be configured to run in a security context chosen by the
   administrator. By default, this context is as a domain user.
   If the rule of least privilege has been followed, it would
   minimize the amount of damage an attacker could achieve.

 - Both vectors for exploiting the vulnerability could be blocked
   by following best practices. Specifically, untrusted users
   should not be able to load and execute queries of their choice
   on a database server. In addition, publicly accessible database
   queries should filter all inputs prior to processing.

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-007.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.


*******************************************************************

You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To cancel your subscription, click on the following link mailto:1_26065_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26065_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail.  You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm

For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
- ------------ Output from pgp ------------
Good signature made 2002-02-21 00:59 GMT by key:
  2048 bits, Key ID 3103F52B, Created 2000-01-22
   "Microsoft Security Response Center <secure em microsoft.com>"
WARNING: The signing key is not trusted to belong to:
Microsoft Security Response Center <secure em microsoft.com>







-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPHaJ2+kli63F4U8VAQFWzwQAmHlZGSC8h135q4Ld3Oq3Hx/A2cqsE3WK
/uJ3DQlDa1THyVvSlPihL9QkhN5rFhjgqDVyo0sllFYj3rwU8I8LnLwq8plWBj/9
rN9d4Io+QL2zUAN8a6uz2RRinWP3ET7D28M4v6qqJ+1yxm1FEzuQby+fx/xoZdCS
m3YRZ2BC/5k=
=yoSc
-----END PGP SIGNATURE-----



----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L