Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3069
HistoryJun 13, 2002 - 12:00 a.m.

Security Bulletin MS02-030: Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)

2002-06-1300:00:00
vulners.com
15

Title: Unchecked Buffer in SQLXML Could Lead to Code Execution
(Q321911)
Date: 12 June 2002
Software: Microsoft SQLXML
Impact: Two vulnerabilities, the most serious of which could run
code of attacker's choice.
Max Risk: Moderate
Bulletin: MS02-030

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-030.asp.


Issue:

SQLXML enables the transfer of XML data to and from SQL Server 2000.
Database queries can be returned in the form of XML documents which
can then be stored or transferred easily. Using SQLXML, you can
access SQL Server 2000 using XML through your browser over HTTP.

Two vulnerabilities exist in SQLXML:

    • An unchecked buffer vulnerability in an ISAPI extension that could,
      in the worst case, allow an attacker to run code of their choice
      on the Microsoft Internet Information Services (IIS) Server.
    • A vulnerability in a function specifying an XML tag that could
      allow an attacker to run script on the user's computer with higher
      privilege. For example, a script might be able to be run in the
      Intranet Zone instead of the Internet Zone.

Mitigating Factors:

Unchecked buffer in SQLXML ISAPI extension:

  • The administrator must have set up a virtual directory structure
    and naming used by the SQLXML HTTP components on an IIS Server.
    The vulnerability gives no means for an attacker to obtain the
    directory structure.

  • The attacker must know the location of the virtual directory on
    the IIS Server that has been specifically set up for SQLXML.

Script injection via XML tag:

  • For an attack to succeed, the user must have privileges on the
    SQL Server.

  • The attacker must know the address of the SQL Server on which
    the user has privileges.

  • The attacker must lure the user to a website under their control.

  • Queries submitted via HTTP are not enabled by default.

  • Microsoft best practices recommends against allowing ad hoc URL
    queries against the database through a virtual root.

  • The script will run in the user's browser according to the IE
    security zone used to connect with the IIS Server hosting the
    SQLXML components. In most cases, this will be the Intranet Zone.

Risk Rating:

  • Internet systems: Moderate
  • Intranet systems: Moderate
  • Client systems: None

Patch Availability:

Acknowledgment:


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.