Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4891
HistoryJul 24, 2003 - 12:00 a.m.

Microsoft SQL Server local code execution

2003-07-2400:00:00
vulners.com
9
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                         @stake Inc.
                       www.atstake.com 

                      Security Advisory

Advisory Name: Microsoft SQL Server local code execution
Release Date: 07/23/2003
Application: Microsoft SQL Server 7, 2000, MSDE
Platform: Windows NT/2000/XP
Severity: Local code execution / Denial of Service
Author: Andreas Junestam ([email protected])
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0232
Reference: www.atstake.com/research/advisories/2003/a072303-3.txt

Overview:

Microsoft SQL Server uses LPC (Local Procedure Calls) to
implement some of its inter-processes communication. The
port providing this service can be used by anyone. By sending
a specially crafted message to SQL Server through this port,
an attacker can overwrite certain parts of memory and thus
execute code using the SQL Server's credentials.

Detailed Description:

Microsoft SQL Server uses different ways of communicating with
a client locally, one of them is over a LPC port. This port
can by used by any local user to send information to the SQL
Server service. By sending a specially crafted message to this
port it is possible to overwrite information stored on the
stack. This would allow an attacker to execute code under
SQL Server's credentials thereby escalating privileges. This
would then allow the user to read and write access to the
database files. If the SQL Server is running under the
Administrator or Local System account this would enable
system compromise.

As with most SQL Server issues MSDE is effected. MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13

Vendor Response:

Microsoft was contacted on 02/05/2003

Microsoft has a bulletin and patch available:

http://www.microsoft.com/technet/security/bulletin/MS03-031.asp

Recommendation:

Install the vendor patch. If your SQL Server is running under
the Administrator or Local System account consider running SQL
Server under a less privileged account.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0232

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx75pUe9kNIfAm4yEQKqjwCgjN94EPfRFvtLd/4CHGjbW6QU/XIAoLKp
teXQzo5cqxIZY2OcMil/n9AC
=iMTE
-----END PGP SIGNATURE-----

Related

cve 1
cert 1
nessus 1
cve
cve
CVE-2003-0232
2003-08-27 04:00:00
cert
cert
Microsoft SQL Server vulnerable to buffer overflow
2003-07-24 00:00:00
nessus
nessus
MS03-031: Cumulative Patch for MS SQL Server (815495)
2003-07-24 00:00:00
JSON
Related for SECURITYVULNS:DOC:4891
cve1cert1nessus1