SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   Microsoft SQL Server Vendors:   Microsoft
(CIAC Issues Bulletin L-095) Re: Microsoft SQL Server May Let Remote Authenticated Users Take Full Control of the Database Server and the Underlying Operating System
SecurityTracker Alert ID:  1001755
SecurityTracker URL:  http://securitytracker.com/id/1001755
CVE Reference:   CAN-2001-0344   (Links to External Site)
Date:  Jun 15 2001
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Microsoft SQL Server 7.0, Microsoft SQL Server 2000 Gold
Description:   Microsoft has reported a vulnerability in SQL Server that may allow an authenticated remote user to obtain elevated privileges and take full control of the database server and the underlying operating system.

It is reported that when a connection to a SQL Server is terminated, the connection remains cached for a short period of time (for performance reasons). There is apparently a SQL query method that contains a vulnerability that allows one user's query to re-use a previously terminated connection belonging to the system administrator account that still resides in the cache.

This vulnerability could allow a remote user to execute the query using the administrator's security context, giving the remote user the ability to take any action on the database. By running extended stored procedures, the remote user could execute arbitrary code on the server and obtain administrator-level privileges on the server (operating system).

The vulnerability reportedly can only be triggered if configured to use Mixed
Mode, which the vendor strongly recommends against, and if the user is authenticated.
Impact:   A remote authenticated user could gain system administrator privileges on both the database server and the underlying server (operating system).
Solution:   The vendor has released a patch. See the Vendor URL for patch information.
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-032.asp (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 13 2001 Microsoft SQL Server May Let Remote Authenticated Users Take Full Control of the Database Server and the Underlying Operating System


 Source Message Contents
Date:  Thu, 14 Jun 2001 11:02:58 -0700 (PDT)
Subject:  CIAC Bulletin L-095 Microsoft SQL Query Method Vulnerability


[ For Public Release ]

-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                    Microsoft SQL Query Method Vulnerability

June 13, 2001 18:00 GMT                                           Number L-095
______________________________________________________________________________
PROBLEM:       A problem exists in the client connection termination to the 
               SQL server. Access to the cached administrators 'sa' session is 
               possible. 
PLATFORM:      Microsoft SQL Server 2000 and SQL Server 7.0 NOTE: The server 
               is only vulnerable if it is configured to use 'mixed mode'. 
               Microsoft recommends against using this mode. 
DAMAGE:        Any user reactivating the cached 'sa' session would gain full 
               system privileges. This would give the user the capability of 
               running code of their choice and have full control of the 
               server. 
SOLUTION:      Apply the patch provided by Microsoft. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW, as there are several mitigating factors, 
ASSESSMENT:    including one of timing the access to the system. 
______________________________________________________________________________

[******  Begin Microsoft Bulletin ******]

http://www.ciac.org/ciac/bulletins/l-095.shtml

[******  End Microsoft Bulletin ******]

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOyj75bnzJzdsy3QZAQG1nwQA+bSB/PVWOyKlqTI6Ce0Eu4Bl8BcgFrWl
DAQVAonS3NYO+LBoirO3Aa6fMt+MlhUGjYHOx1+T3kIsrP2lcI7kbsqQC5E7pzF5
/dE3WWN3PTTXtDyICEZ4VzMbmreja29LV0ceg8VYEhohb54ulhTQ3gBseTPIbaZ4
a9lAdVhQThg=
=fznx
-----END PGP SIGNATURE-----

-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC