Microsoft Security Bulletin MS02-043

Technical description:

This security patch does not contain a patch from Microsoft Knowledge Base Article 317748 that is required to ensure normal operation of SQL Server 2000 and MSDE 2000. If you have applied this security patch to a SQL Server 2000 or MSDE 2000 installation prior to applying the hotfix from Microsoft Knowledge Patch article 317748, you must answer "no" if and when prompted to overwrite files to ensure that you do not overwrite files from the security patch.

This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0 and SQL Server 2000. In addition, it eliminates a newly discovered vulnerability.

SQL Server 7.0 and SQL Server 2000 provide for extended stored procedures, which are external routines written in programming languages such as C or C#. These procedures appear as normal stored procedures to users and can be invoked and executed just like normal stored procedures. By default, SQL Server 7.0 and SQL Server 2000 ship with a number of extended stored procedures which are used for various helper functions.

Some of the Microsoft-provided extended stored procedures that have the ability to reconnect to the database as the SQL Server service account have a flaw in common - namely, they have weak permissions that can allow non-privileged users to execute them. Because these extended stored procedures can be made to run with administrator privileges on the database, it is thus possible for a non-privileged user to run stored procedures on the database with administrator privileges.

An attacker could exploit this vulnerability in one of two ways. The attacker could attempt to load and execute a database query that calls one of the affected extended store procedures. Alternately, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. While the vulnerability can be used to run stored procedures as administrator, following best practices and limiting the ability to submit queries greatly mitigates the exposure to this vulnerability.

Vulnerability identifier: CAN-2002-0721 

Tested Versions:

Microsoft tested SQL Server 7.0 and SQL Server 2000 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability. While the vulnerability could potentially enable an attacker While the vulnerability could potentially allow an attacker to run code on the server, best practices should limit the ability to exploit the vulnerability and the damage that could be achieved by a successful attack.

What is the correct order for installing this patch in conjunction with the hotfix discussed in 317748? 
This security patch does not contain a patch from Knowledge Base Article 317748 that is required to ensure normal operation of SQL Server 2000 and MSDE 2000. The correct order of installation is to install the 317748 patch and then this security patch. If you have applied this security patch to a SQL Server 2000 or MSDE 2000 installation prior to applying the hotfix from Knowledge Patch article 317748, you must answer "no" if and when prompted to overwrite files to ensure that you do not overwrite files from the security patch.

How do I check I've got this security patch installed?
You should verify that the version of ssnetlib.dll in the \MSSQL\BINN folder for the instance you applied the patch for is: 2000.80.636.0
If the version of the ssnetlib.dll in the \MSSSQL\BINN folder is less than 2000.80.636.0, then you will need to re-apply the security patch. However Microsoft recommends that you apply the latest security patch as described in MS02-061 since this contains fixes for additional security vulnerabilities in these products.

What vulnerabilities does this patch eliminate? 
This is a privilege elevation vulnerability. It occurs in some of the Microsoft-provided extended stored procedures. An attacker who successfully exploited this vulnerability in one of the affected extended stored procedures would gain significant control over the database and possibly the server itself. In a worst case, the attacker could add, change or delete data in the database, as well as potentially being able to reconfigure the operating system, install new software, or reformat the hard drive. The scope of this vulnerability, however, would be significantly reduced if best practices were followed. Specifically:

What causes the vulnerability?
The vulnerability results because of weak permissions on some extended stored procedures that have the ability to reconnect to the database using the SQL Server.

What are SQL Server extended stored procedures?
Extended stored procedures provide the ability for database designers and administrators to create your their own customized external routines in a programming language such as C or C#. For all intents and purposes, extended stored procedures appear to users as normal stored procedures and are executed in the same way. Database queries can pass data to extended stored procedures which can return results and return status.
For instance, among the standard extended stored procedures included with SQL Server are ones that provide e-mail functions. For example:

What do you mean when you say that these extended stored procedures can reconnect to the SQL Server as the Service Account?
Typically (with a few exceptions), extended stored procedures run in the security context of the service account SQL server runs as. For example, if a user with limited privileges were to run an extended stored procedure, it would run with the same permissions as the service account.
Some of these extended stored procs can be made to connect back to SQL server by passing in a carefully crafted input as a parameter to the stored procs.
At that point, any actions that the extended stored procedure take against the database is in the context of the SQL Server Service Account, which might have high privileges on the database.

What's wrong with the extended stored procedures?
Some of the extended stored procedures provided by Microsoft have inappropriately weak permissions on them. As a result, it's possible for a non-privileged user to load and execute these extended stored procedures.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to gain administrative control over SQL Server. As a result of this, the attacker could take any action on the database that an administrator could take. In addition depending on the configuration of the database server it could be possible for the attacker to take actions on the operating system that the SQL Server were capable of taking.

How could an attacker exploit this vulnerability?
There are several ways an attacker would try to exploit this vulnerability. The most direct attack vector would be for the attacker to construct a query that calls the affected extended stored procedures. However, to succeed at this, the server would have to be configured to allow an untrusted user to load and execute queries of their choice. Best practices strongly recommends against allowing untrusted users to load and run queries of their construction.

Is there any other way an attacker would try to exploit this vulnerability?
An attacker who couldn't directly load and execute a query might still be able to exploit the vulnerability if he could use a query that was already present on the system.
For example, if the database were part of a web-based search tool and one of the procedures in question were called by the web site, an attacker could attempt to construct a query that would exploit this vulnerability. However, constructing a query like this would require the attacker to possess intimate knowledge about the internals of a web site's search function.
If a site had implemented web-based queries without proper checking of inputs, however, it could be possible for an attacker to embed database commands-including a call to the affected function-within the database query parameters. This shows the importance of validating input parameters before passing them to the database server for processing.

What does the patch do?
The patch addresses the vulnerability by setting permissions on the extended stored procedures in questions such that only administrators can invoke them.

Download locations for this patch

Installation platforms:

•	The SQL Server 7.0 patch can be installed on systems running SQL Server 7.0 Service Pack 4.
•	The SQL Server 2000 patch can be installed on systems running SQL Server 2000 Service Pack 2.

Inclusion in future service packs: The fix for this issue will be included in SQL Server 2000 Service Pack 3.

Reboot needed: No. The SQL Server service only needs to be restarted after applying the patch.

Patch can be uninstalled: Yes. The readme.txt describing the installation instructions also contains instructions on removing the patch.

Superseded patches: 

SQL Server 7.0 and MSDE 1.0: 

•	This patch supersedes the one provided in Microsoft Security Bulletin MS02-020, which was itself a cumulative patch.

SQL Server 2000 and MSDE 2000: 

•	This patch supersedes the one provided in Microsoft Security Bulletin MS02-038, which was itself a cumulative patch, as well as MS02-039.

Verifying patch installation: 

SQL Server 7.0: 

•	To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article at http://support.microsoft.com/support/misc/kblookup.asp?id=Q327068

SQL Server 2000: 

•	To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article at http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech

Caveats:

•	This patch does not include the functionality of the Killpwd tool provided in Microsoft Security Bulletin MS02-035.
•	The patch does not supersede any previously released patches for MDAC or OLAP under SQL Server 2000. At this writing, these patches include the ones discussed in: • Microsoft Security Bulletin MS00-092  • Microsoft Security Bulletin MS01-041  • Microsoft Security Bulletin MS02-030
•	The process for installing the patch varies somewhat depending on the specific configuration of the server. System administrators should ensure that they read the Readme.txt file in the patch package to ensure the patch is installed correctly.

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section