Microsoft Security Bulletin MS02-020

Technical description:

SQL Server 7.0 and 2000 provide for extended stored procedures, which are external routines written in a programming language such as C. These procedures appear to users as normal stored procedures and are executed in the same way. SQL Server 7.0 and 2000 include a number of extended stored procedures which are used for various helper functions

Several of the Microsoft-provided extended stored procedures have a flaw in common - namely, they fail to perform input validation correctly, and are susceptible to buffer overruns as a result Exploiting the flaw could enable an attacker to either cause the SQL Server service to fail, or to cause code to run in the security context in which SQL Server is running. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.

An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. While the vulnerability could potentially allow an attacker to run code on the server, best practices would limit the ability to exploit the vulnerability and the damage that could be achieved by a successful attack.

Vulnerability identifier: CAN-2002-0154 

Tested Versions:

Microsoft tested SQL Server 7.0 and 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability and is found in common in several of the Microsoft-provided extended stored procedures. An attacker who successfully exploited this vulnerability in one of the affected extended stored procedures would gain significant control over the database and possibly the server itself. In a worst case, the attacker could add, change or delete data in the database, as well as potentially being able to reconfigure the operating system, install new software, or reformat the hard drive.
The scope of this vulnerability, however, would be significantly reduced if best practices were followed. Specifically:

What causes the vulnerability?
The vulnerability results because several of the extended stored procedures provided by SQL Server handle user input incorrectly, and don't check the length of the input before using it. This could result in a buffer overrun condition in the affected stored procedures.

What are SQL extended stored procedures?
Extended stored procedures allow you to create your own external routines in a programming language such as C. The extended stored procedures appear to users as normal stored procedures and are executed in the same way. Database queries can pass data to extended stored procedures which can return results and return status.
For instance, among the standard extended stored procedures included with SQL server are ones that provide e-mail functions. For example:

What's wrong with the extended stored procedures?
Some of the extended stored procedures provided by Microsoft fail to properly validate that the information which is passed will fit into the buffer that has been provided. Because of this, an attacker could provide input data that overruns the buffer and overwrites the memory within the SQL Server process itself.

What would this enable an attacker to do?
Depending on the specific data that the attacker chose, one of two effects could result:

If the attacker provided random input data, what would be required in order to restore normal operation?
The administrator would need to restart the SQL Server service.

If the attacker provided carefully selected data and altered the SQL Server software, what could the new software do?
It would depend on how SQL Server had been configured. By default, SQL Server runs in a non-privileged security context (specifically, as a domain user). An attacker who successfully exploited this vulnerability against a server configured in this manner would gain control over the database, but little else.
If, however, the administrator had configured SQL Server to run with higher privileges, a successful attack could possibly gain those additional privileges. Thus, the potential damage of a successful attack is proportionate to the degree to which the principle of least privilege has been followed in the configuration of SQL Server.

How might an attacker exploit this vulnerability?
There are several ways an attacker would try to exploit this vulnerability. The most direct attack vector would be for the attacker to construct a query that calls an affected function and performs a buffer overrun attack. However, to succeed at this, the server would have to be configured to allow an untrusted user to load and execute queries of their choice. Best practices strongly recommends against allowing untrusted users to load and run queries of their construction.

Is there any other way an attacker would try to exploit this vulnerability?
An attacker who couldn't directly load and execute a query might still be able to exploit the vulnerability if he could use a query that was already present on the system.
For example, if the database were part of a web-based search tool and one of the functions in question were called by the web site, an attacker could attempt to construct a query that would exploit this vulnerability. However, constructing a query like this would require the attacker to possess intimate knowledge about the internals of a web site's search function.
If a site had implemented web-based queries without proper checking of inputs, however, it could be possible for an attacker to embed database commands-including a call to the affected function-within the database query parameters. This shows the importance of validating input parameters before passing them to the database server for processing.

What does the patch do?
The patch eliminates the vulnerability by implementing proper checking on the affected extended stored procedures.

Download locations for this patch

Installation platforms:

The SQL Server 7.0 and SQL Server 2000 patch can be installed here: http://technet.microsoft.com/en-us/sqlserver/bb331729.aspx.

Reboot needed:

No. The SQL Server service only needs to be restarted after applying the patch.

Superseded patches:MS02-007 

Verifying patch installation:

SQL Server 7.0:

•	To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article at http://support.microsoft.com/default.aspx?scid=kb;en-us;318268&sd=tech

SQL Server 2000:

•	To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article at http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech

Caveats:

None

Localization:

Patches are available for each supported SQL Server Language.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section